JWT Decoder

Decode and inspect JSON Web Tokens — header, payload claims, and expiry status.

Deep Dive

Decode and inspect the header and payload sections of any JSON Web Token (JWT) without needing a secret key. This tool parses the Base64URL-encoded parts and displays the JSON contents in a readable format. Note: this tool does not verify the signature — it only reads the claims.

Use Cases

Inspecting token claims during API development and debugging

Checking whether a JWT has expired

Reading user roles and permissions embedded in a token

Teaching JWT structure in a workshop or tutorial

Examples

Decode a sample JWT header

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.<payload>.<sig>

Output

{ "alg": "HS256", "typ": "JWT" }

Frequently Asked Questions

Does this verify the JWT signature?

No. Signature verification requires the secret or public key held by the issuing server. This tool only decodes the readable parts of the token.

Is it safe to paste a production JWT here?

Decoding happens entirely in your browser — nothing is sent to a server. That said, treat JWTs like passwords; avoid pasting tokens with sensitive permissions into any third-party site.

Why does the payload show an `exp` timestamp?

exp is a Unix timestamp (seconds since 1970-01-01 UTC). The tool converts it to a human-readable date for convenience.

I see 'Invalid JWT format' — why?

A valid JWT must consist of exactly three Base64URL parts separated by dots. Ensure you copied the complete token without extra spaces or line breaks.