JWT Decoder
Decode a JWT online: header, payload, and human-readable exp/iat timestamps — without the token leaving your browser.
About this tool
Paste a JSON Web Token to see its header and payload with syntax highlighting, plus exp/iat/nbf claims converted to readable dates with relative times. You can paste anything containing a token — a bare JWT, 'Bearer eyJ…', a whole authorization header line, or a curl -H flag — and the token is extracted automatically.
Decoding happens entirely in your browser: a JWT's first two segments are just Base64URL-encoded JSON, so no secret is needed to read them. The signature is displayed but not verified.
Frequently asked questions
Is it safe to paste a real token here?+
The token never leaves your browser — decoding is local and nothing is transmitted. But the token itself is still a credential: if you screenshot the decoded result into Slack or a doc, anyone can copy the token string out of the image and use it as-is. Capture screenshots with an expired token, and if a live one gets exposed, revoke it (e.g. invalidate the session) right away.
Why isn't the signature verified?+
Verification requires the secret (HS256) or public key (RS256/ES256), which you shouldn't paste into tools. Decoding only proves what the token claims, not that it is authentic — servers must always verify the signature.
If anyone can decode it, is a JWT encrypted?+
No — a standard JWS token is signed, not encrypted. Anyone holding it can read the payload; the signature only prevents tampering. Don't put secrets in claims; use JWE if you need confidentiality.
What do exp, iat, and nbf mean?+
Unix-timestamp claims: iat = issued at, nbf = not valid before, exp = expiry. Servers typically allow a small clock skew (seconds to a few minutes) when enforcing them.