About JWT Decoder
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token used to pass claims between two parties. You'll encounter them constantly in web development — they're the standard for authentication in modern APIs. When you log into a site and get a bearer token, that's usually a JWT.
JWT Structure
A JWT has three parts separated by dots: header.payload.signature. The header specifies
the algorithm (like HS256 or RS256). The payload contains the claims — user ID, roles, expiration time.
The signature ensures the token hasn't been tampered with.
What This Tool Shows You
- Header — The signing algorithm and token type
- Payload — All claims, decoded and formatted
- Expiration status — Whether the token is still valid or has expired
- Timestamps —
iat,exp, andnbfconverted to readable dates
Note: This tool only decodes JWTs — it doesn't verify signatures. The header and payload of a JWT are just base64-encoded JSON, so anyone can read them. The signature is what provides security.
Frequently asked questions
Does this JWT decoder verify the signature?
It decodes and displays the header and payload and shows expiration status, but it does not verify the signature — decoding never requires the secret key.
Is it safe to paste a real token?
Yes. Decoding happens entirely in your browser and the token is never sent to a server. Still, treat production tokens carefully.
What do the header and payload show?
The header describes the signing algorithm and token type, while the payload contains the claims such as subject, issued-at, and expiry.