JWT Decoder
Inspect header, payload & signature
Encoded Token
Decoded Header
Decoded Payload
JWT Signature Verification (optional)
Enter the secret used to sign the token to check its authenticity.
Examples
Decode a token's payload
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0Iiwibm…
{
"sub": "1234",
"name": "Ada Lovelace",
"admin": true
}Humanised time claims
"exp": 2060000000
Expires — Mar 7, 2035 (in 8 years)
Frequently asked questions
Is my token sent to a server?
No. The token is split and Base64URL-decoded entirely in your browser — it never leaves your machine. Even so, avoid pasting production tokens into any online tool.
Does this verify the signature?
No. Verifying a JWT's signature requires the issuer's secret (HMAC) or public key (RSA/ECDSA), which the decoder doesn't have. It shows the signature segment but cannot confirm the token is authentic — decoding is not verification.
How are exp, nbf and iat shown?
These registered claims are Unix timestamps. The decoder converts them to your local date and time, adds a relative hint like "in 3 days" or "5 hours ago", and flags whether the token is Active, Expired or Not yet valid.
What is a JWT made of?
Three Base64URL parts separated by dots: a header (algorithm and type), a payload (the claims), and a signature. The header and payload are just encoded JSON — not encrypted — so anyone can read them.