JWT Decoder
Decode a JWT and inspect its header and payload, entirely in your browser.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "Ada Lovelace",
"iat": 1516239022
}- Issued at (iat): Jan 18, 2018, 1:30:22 AM UTC
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The signature is shown as-is. This tool decodes tokens but does not verify the signature, which needs the signing secret or key.
Recommended next steps
Related tools
Encode or decode text to and from base64, with a URL-safe variant.
Convert JSON arrays to CSV and CSV back to JSON, in your browser.
Test a regular expression against text and see matches and capture groups.
Frequently asked questions
No. It decodes the header and payload so you can read the claims, and it shows the signature as-is. Verifying the signature requires the signing secret or public key, which this browser tool doesn't have. Treat the decoded payload as untrusted until your server has verified it.
No. Decoding runs entirely in your browser using built-in base64url and JSON parsing. The token never leaves the page, so it's safe to inspect real tokens.
They are standard time claims, stored as seconds since the Unix epoch. iat is when the token was issued, nbf is the earliest time it's valid, and exp is when it expires. The tool converts each to a readable date and tells you whether the token has expired based on your device clock.
A JWT in compact form has exactly three parts separated by dots (header.payload.signature), and the header and payload must be base64url-encoded JSON. If a part is missing, the encoding is wrong, or the decoded text isn't valid JSON, the tool says so instead of guessing. Encrypted JWE tokens (five parts) aren't supported.
Last updated 2026-06-23.