JWT Decoder
Decode JSON Web Tokens to inspect header and payload JSON. Explains signature limits—client-side only; never paste production secrets you cannot rotate.
Added Apr 29, 2026 · Updated May 1, 2026
Input
Result
Enter a value for jwt token to see your result.
How it works
Decodes a JSON Web Token (JWT) without verifying the signature. Shows the header (algorithm and token type), the payload (claims such as subject, issuer, and expiry), and token metadata. The signature is not checked — this is a debugging tool only.
Step by step
- 01Split the JWT on '.' to get the three parts: header, payload, signature.
- 02Base64URL-decode the header and payload sections.
- 03Parse each as JSON and display the claims.
- 04Extract the 'exp' claim (Unix timestamp) to show the expiry time and whether the token has expired.
Examples
Decode a sample JWT
The header reveals HS256 algorithm, the payload shows sub and name claims.
Inputs
- JWT token:
- eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Result
- Header:
- { "alg": "HS256", "typ": "JWT" }
Frequently asked questions
Is it safe to paste my JWT here?
This tool runs entirely in your browser — no data is sent to any server. However, avoid sharing JWTs with sensitive claims (e.g., access tokens) in untrusted environments.
Does this verify the JWT signature?
No. This is a decoding tool for inspection and debugging. Signature verification requires the secret key or public key and should be done on your server.
Why can I decode a JWT without the secret — is that insecure?
JWT payloads are only Base64URL-encoded JSON; anyone can read them. Security comes from the signature (HMAC/RSA/ECDSA) proving the issuer. Never put secrets in claims unless they are encrypted (JWE) for the recipient.
What do exp, nbf, and iat mean?
`exp` is expiration time, `nbf` is not-before, and `iat` is issued-at — all typically in seconds since Unix epoch unless using stringdate claims. Your API gateway should enforce `exp` even if the token still decodes.
Can I paste refresh tokens or long-lived admin tokens?
You should not paste highly privileged tokens into any online or shared device tool. Prefer decoding copies of expired sample tokens, or use local CLI utilities in a locked-down environment.