Decode JSON Web Tokens to inspect header and payload JSON. Explains signature limits—client-side only; never paste production secrets you cannot rotate.
Added Apr 29, 2026 · Updated May 1, 2026
Input
Result
Enter a value for jwt token to see your result.
Decodes a JSON Web Token (JWT) without verifying the signature. Shows the header (algorithm and token type), the payload (claims such as subject, issuer, and expiry), and token metadata. The signature is not checked — this is a debugging tool only.
The header reveals HS256 algorithm, the payload shows sub and name claims.
Inputs
Result
This tool runs entirely in your browser — no data is sent to any server. However, avoid sharing JWTs with sensitive claims (e.g., access tokens) in untrusted environments.
No. This is a decoding tool for inspection and debugging. Signature verification requires the secret key or public key and should be done on your server.
JWT payloads are only Base64URL-encoded JSON; anyone can read them. Security comes from the signature (HMAC/RSA/ECDSA) proving the issuer. Never put secrets in claims unless they are encrypted (JWE) for the recipient.
`exp` is expiration time, `nbf` is not-before, and `iat` is issued-at — all typically in seconds since Unix epoch unless using stringdate claims. Your API gateway should enforce `exp` even if the token still decodes.
You should not paste highly privileged tokens into any online or shared device tool. Prefer decoding copies of expired sample tokens, or use local CLI utilities in a locked-down environment.