What a JWT is
A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe way to carry claims between parties — most often a login session passed from a server to a client and back. It's three Base64URL segments joined by dots: header.payload.signature.
The header names the signing algorithm; the payload holds the claims (who the user is, when the token expires); and the signature is computed over both with a secret or private key. That signature is the whole point — it lets a server confirm the token hasn't been tampered with. Crucially, the payload is only encoded, not encrypted: anyone holding the token can read it.
This decoder shows the header and payload, labels the registered claims, and flags an expired window — but it never verifies the signature, since that needs a key you shouldn't paste into a browser. Decoding runs 100% locally.
Decoding vs. verifying
Base64URL-decodes the header and payload so you can read the claims. No key needed.
Recomputes the signature with the key to prove the token is authentic and untampered.
Where developers use it
Debugging a login
Paste the token your app received to confirm the sub, roles, and exp claims are what you expect.
Checking expiry
See an exp timestamp as a readable date to work out whether a session has already lapsed.
Inspecting the algorithm
Read the header's alg field to confirm a token is signed the way your backend requires.
Frequently asked questions
No. Decoding and verifying are different. This tool reads the header and payload, but checking the signature requires the issuer's secret or public key, which you should never paste into a web page. Always verify on your server before trusting a token's claims.
No — a standard JWT is signed, not encrypted. The header and payload are just Base64URL-encoded JSON, readable by anyone who has the token. Never put passwords or sensitive data in the payload; the signature proves it wasn't altered, not that it's hidden.
They're standard time claims, as Unix timestamps: iat (issued at), exp (expires), and nbf (not before). A token is only valid between nbf/iat and exp; this tool shows them as readable dates and flags an expired window.
Header (the algorithm and type), payload (the claims), and signature — joined by dots as header.payload.signature. The first two are Base64URL-encoded JSON; the signature is computed over them with a key.
No. The token is decoded entirely in your browser and never uploaded — but since decoding exposes the payload to anyone, still treat tokens as sensitive.