JWT Decoder

Decode & inspect JSON Web Tokens

Valid window
Encoded Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlN5bnRheGx5IFVzZXIiLCJhZG1pbiI6dHJ1ZSwiaWF0IjoxNzE2MjM5MDIyLCJleHAiOjE5MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Registered Claims
sub · Subject 1234567890
exp · Expires 9/21/2030, 4:37:02 PM
iat · Issued at 5/20/2024, 9:03:42 PM
Header ALG
Payload CLAIMS
Signature

Decoding never verifies the signature — that requires the issuer's secret or public key. This tool inspects claims only.

Deep dive

What a JWT is

A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe way to carry claims between parties — most often a login session passed from a server to a client and back. It's three Base64URL segments joined by dots: header.payload.signature.

The header names the signing algorithm; the payload holds the claims (who the user is, when the token expires); and the signature is computed over both with a secret or private key. That signature is the whole point — it lets a server confirm the token hasn't been tampered with. Crucially, the payload is only encoded, not encrypted: anyone holding the token can read it.

This decoder shows the header and payload, labels the registered claims, and flags an expired window — but it never verifies the signature, since that needs a key you shouldn't paste into a browser. Decoding runs 100% locally.

Reference

Decoding vs. verifying

Decoding (this tool)

Base64URL-decodes the header and payload so you can read the claims. No key needed.

Debugging a token
Checking claims & expiry
Inspecting the algorithm
Verifying (your server)

Recomputes the signature with the key to prove the token is authentic and untampered.

Authenticating requests
Trusting the claims
Enforcing expiry
In practice

Where developers use it

01

Debugging a login

Paste the token your app received to confirm the sub, roles, and exp claims are what you expect.

02

Checking expiry

See an exp timestamp as a readable date to work out whether a session has already lapsed.

03

Inspecting the algorithm

Read the header's alg field to confirm a token is signed the way your backend requires.

Questions

Frequently asked questions

No. Decoding and verifying are different. This tool reads the header and payload, but checking the signature requires the issuer's secret or public key, which you should never paste into a web page. Always verify on your server before trusting a token's claims.

No — a standard JWT is signed, not encrypted. The header and payload are just Base64URL-encoded JSON, readable by anyone who has the token. Never put passwords or sensitive data in the payload; the signature proves it wasn't altered, not that it's hidden.

They're standard time claims, as Unix timestamps: iat (issued at), exp (expires), and nbf (not before). A token is only valid between nbf/iat and exp; this tool shows them as readable dates and flags an expired window.

Header (the algorithm and type), payload (the claims), and signature — joined by dots as header.payload.signature. The first two are Base64URL-encoded JSON; the signature is computed over them with a key.

No. The token is decoded entirely in your browser and never uploaded — but since decoding exposes the payload to anyone, still treat tokens as sensitive.

Related

Pairs well with

© 2026. Syntaxly | Built for the minimalist developer.