JWT Decoder
Paste a JSON Web Token to inspect its header, payload, and standard claims. Expiry, issued-at, and not-before timestamps are shown as human-readable dates. Runs entirely in your browser — your token never leaves your device.
Decoded entirely in your browser. The token never leaves your device.
JWT structure
A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The header identifies the algorithm (e.g. HS256, RS256). The payload contains claims — statements about a user or session. The signature proves the token was issued by a trusted party.
Why decode-only?
Verifying a JWT signature requires the secret key (HS256) or the public key (RS256/ES256). These are never available in the browser for legitimate tokens. Decode-only is correct here: you see the claims, but only your backend can confirm the token is authentic.
Standard claims
The JWT spec (RFC 7519) defines standard claims: exp (expiration time), iat (issued at), nbf (not before), sub (subject), iss (issuer), aud (audience), and jti (JWT ID). Custom claims can be anything — your team defines them.
