A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts — header, payload, and signature — separated by dots.

How do I decode a JWT token?

Paste your JWT into the input field and click "Decode JWT". The tool splits the token by dots, Base64URL-decodes each part, and displays the header and payload as formatted JSON.

Is the JWT signature verified?

No. This tool only decodes the header and payload — it does not verify the signature. Signature verification requires the secret key or public key and must be done server-side.

Is it safe to paste my JWT here?

Yes. This tool runs entirely in your browser — no data is sent to any server. Your token never leaves your device.

What are the exp, iat, and nbf claims in a JWT?

These are registered JWT claims: "exp" (expiration time) defines when the token expires, "iat" (issued at) records when it was issued, and "nbf" (not before) defines when the token becomes valid. All are Unix timestamps.

Free Tool

JWT Decoder

Decode JSON Web Tokens instantly. View the header, payload claims, expiry status, and time fields — all in your browser. No data sent to any server.

Paste Your JWT Token

Note: This tool only decodes the header and payload — it does not verify the signature. Never trust a JWT's claims without server-side signature verification.

What is a JWT?

A JSON Web Token has three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID and expiry), and a signature.

Decoding vs verification

Decoding reads the header and payload without checking the signature. This is safe for inspecting a token's content but does not confirm the token is authentic. Signature verification requires the secret key.

Common fields to check

Look for exp (expiry timestamp), iat (issued at), nbf (not before), and sub (subject). The exp and iat values are Unix timestamps — paste them into the Epoch Converter to read the date.

How to use

Paste your JWT token into the input field.
The header, payload, and signature are decoded and displayed in separate panels instantly.
Check the "exp" field to see the expiry time. Click the timestamp to open it in the Epoch Converter.

Examples

Simple: Paste any xxxxx.yyyyy.zzzzz JWT → the header shows {"alg":"HS256","typ":"JWT"} and the payload shows your claims as readable JSON.
Developer workflow: An API call is returning 401 Unauthorized. Paste your auth token to check whether the exp claim has already passed, or whether the sub claim matches the expected user ID.
Edge case: A token that is expired still decodes successfully — this tool does not verify expiry or the signature. Use it to inspect claims only, not to validate token authenticity.

Your token is never sent to any server — decoding runs entirely in your browser.

Frequently Asked Questions

What is a JWT token?: A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts — header, payload, and signature — separated by dots.
How do I decode a JWT token?: Paste your JWT into the input field and click "Decode JWT". The tool splits the token by dots, Base64URL-decodes each part, and displays the header and payload as formatted JSON.
Is the JWT signature verified?: No. This tool only decodes the header and payload — it does not verify the signature. Signature verification requires the secret key or public key and must be done server-side.
Is it safe to paste my JWT here?: Yes. This tool runs entirely in your browser — no data is sent to any server. Your token never leaves your device.
What are the exp, iat, and nbf claims in a JWT?: These are registered JWT claims: "exp" (expiration time) defines when the token expires, "iat" (issued at) records when it was issued, and "nbf" (not before) defines when the token becomes valid. All are Unix timestamps.

Related Tools

Epoch

Unix timestamp converter and date utility

Base64

Encode & decode Base64 strings instantly