Utility Pages
Developer Tools

JWT Decoder

Inspect any JSON Web Token. Decoded header, payload, signature, and timing — never sent to a server.

JWT (paste here)
Expired 21483h ago
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1700000000
}

Claims (with timestamps decoded)

sub(reserved)
1234567890
name
John Doe
iat(reserved)
1516239022 — 1/18/2018, 1:30:22 AM
exp(reserved)
1700000000 — 11/14/2023, 10:13:20 PM
Signature (raw, not verified)
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Signature verification requires the issuer's public key or shared secret. We don't attempt verification here — paste the signing key into your library of choice (e.g. jose, jsonwebtoken).

A safer JWT debugger

Most online JWT decoders send your token to a server. Ours doesn't — everything runs locally. Paste a token and see header, payload, and signature instantly. Reserved claims (exp, iat, nbf) are auto-converted to readable dates.

Frequently Asked Questions

What is a JWT?
A JSON Web Token is a self-contained, URL-safe token format used for authentication and information exchange. It has 3 parts separated by dots: header.payload.signature. Header and payload are Base64URL-encoded JSON; signature is a cryptographic check.
Is decoding a JWT the same as verifying it?
No. Decoding is reading the contents — anyone can do it (JWTs are not encrypted by default). Verifying means checking the signature against the issuer's public key (or shared secret) to ensure the token wasn't tampered with. We decode here, but do not verify.
Are JWTs encrypted?
Standard signed JWTs (JWS) are not encrypted — they're signed for tamper-detection. Anyone with the token can read the payload. Don't put secrets in JWT payloads. JWE (encrypted JWT) exists but is much rarer.
What do exp, iat, and nbf mean?
exp = expiration time (Unix epoch seconds). iat = issued at. nbf = not before (token invalid before this time). All are reserved claims defined in RFC 7519. We show human-readable dates next to the raw numbers.
Is my token sent to a server?
No. All decoding happens in your browser via JavaScript. Open dev tools and check — zero network requests when you decode a token. Safe for production tokens.

Related Calculators

Base64 Encoder/Decoder
Encode and decode Base64
JSON Formatter
Pretty-print and validate JSON
Hash Generator
MD5, SHA-256, SHA-512