What is a JWT decoder?
A JSON Web Token has three base64url segments: header.payload.signature. The header and payload are plain JSON: base64url is an encoding, not encryption, so anyone holding a token can read its claims. This tool splits the token and pretty-prints both parts so you can debug auth flows, inspect expiry, and check claims, entirely on your machine. Because tokens are live credentials, decoding them locally matters: pasting a real token into a site that uploads it is handing over a session.
Edge cases & gotchas
- Base64url uses
-and_instead of+and/, with padding stripped, so a plain base64 decoder often fails on JWTs. expis seconds, not milliseconds (a common off-by-1000 bug).- Decoding ≠ trusting: always verify the signature server-side before acting on claims.
- An
alg: nonetoken is unsigned. Reject it in production. - Five segments means JWE (encrypted), which genuinely cannot be read without the key.
Registered claims reference
| Claim | Meaning |
|---|---|
iss | Issuer |
sub | Subject (user id) |
aud | Audience |
exp | Expiry (Unix seconds) |
nbf | Not valid before |
iat | Issued at |
jti | Token id (replay protection) |
How to use
- Paste a JWT into the Input pane. A raw token or a full
Authorization: Bearer …value both work. - The decoded header, payload, and raw signature appear instantly as colored JSON.
- Check the claims:
exp/iat/nbfare Unix timestamps (seconds). - Copy the decoded JSON or inspect individual claims.
- Nothing is uploaded: decoding happens entirely in your browser.
Examples
Decode a token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIn0.sig
{
"header": { "alg": "HS256", "typ": "JWT" },
"payload": { "sub": "123", "name": "Ada" },
"signature": "sig"
}Bearer header value works too
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMifQ.x
{
"header": { "alg": "HS256", "typ": "JWT" },
"payload": { "sub": "123" },
"signature": "x"
}FAQ
Is my token sent to a server?
No. Decoding runs 100% in your browser. Open DevTools → Network and verify: zero requests. Tokens are credentials; never paste them into tools that upload them.
Does this verify the signature?
No, it decodes only. Signature verification requires the signing secret or public key and should happen server-side. The raw signature segment is shown for reference.
Why can a JWT be decoded without the secret?
The header and payload are just base64url-encoded JSON: encoding, not encryption. The secret only signs the token; it doesn't hide its contents. Never put sensitive data in a JWT payload.
How do I read exp / iat / nbf?
They're Unix timestamps in seconds: exp = expiry, iat = issued-at, nbf = not-before. Multiply by 1000 for JavaScript's new Date(ms).
What if my token has only two segments?
That's not a signed JWT (JWS). Unsecured JWTs (alg: none) end with a trailing dot; encrypted JWEs have five segments and cannot be decoded without the key.