JWT Decoder

Decode and inspect JWT header, payload, signature, claims, and expiration locally in your browser without uploading the token. Expand to read more.

Decode a JWT in your browser

A JSON Web Token (JWT) in compact form is three Base64URL segments separated by dots: header.payload.signature. This JWT decoder Base64URL-decodes the header and payload, parses them as JSON, and shows registered claims such as iss, sub, aud, exp, nbf, iat, and jti. Decoding runs entirely in your browser. The token is not uploaded, stored, or placed in the page URL.

Header and payload are encoded, not encrypted. Anyone who has the token can read those JSON objects. The signature segment is shown as Base64URL text only; verifying it requires a key or secret and a separate verification step.

How to inspect a token

  1. Paste a compact JWT into the input editor. An optional leading Bearer prefix (from an Authorization header) is accepted and stripped.
  2. Review Token Status for alg, typ, kid (when present), and the fixed notice that the signature is not verified.
  3. Inspect the pretty-printed Header and Payload JSON.
  4. Use Registered Claims for human-readable timestamps on iat, nbf, and exp, including simple expiration or not-before observations.
  5. Read the Signature section only as the original encoded segment—not as proof of authenticity.

Claims and algorithms

  • alg — signing or MAC algorithm named in the header (for example HS256, RS256, or ES256). Seeing an algorithm does not mean it was verified.
  • kid — optional key identifier that a verifier might use to select a key.
  • iss — issuer; sub — subject; aud — audience (string or array); jti — JWT ID.
  • iat — issued-at NumericDate; nbf — not-before; exp — expiration. This tool shows UTC and local timestamps for these values. An expired exp or a future nbf is only a time observation. It does not mean the signature is valid or invalid.

Expiration checks alone never establish trust. Treat every decoded claim as untrusted until the signature is verified with the correct key material.

Synthetic example

Use a disposable sample such as:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3Qta2V5LTEifQ.eyJpc3MiOiJleGFtcGxlLWlzc3VlciIsInN1YiI6InN5bnRoZXRpYy11c2VyIiwiYXVkIjpbImFwaSIsImFkbWluIl0sImV4cCI6MTcwMDAwMzYwMCwibmJmIjoxNzAwMDAwMDAwLCJpYXQiOjE3MDAwMDAwMDAsImp0aSI6InN5bnRoZXRpYy1qdGkifQ.dGVzdC1zaWduYXR1cmU

Prefer synthetic or non-production tokens when testing. Avoid pasting live production credentials into any third-party site; this page processes input locally, but keeping secrets off shared screens and fixtures remains good practice.

Standards

Compact JWT/JWS structure and claims follow RFC 7519 and RFC 7515. Not every OAuth access token is a JWT; only tokens that use this compact three-segment form can be decoded here. Encrypted JWE tokens (typically five segments) are out of scope for this decoder.

JWT decoder FAQ

Does decoding verify the signature?

No. This tool never validates HMAC, RSA, or ECDSA signatures. The notice Decoded only — signature not verified. is intentional.

Is the token sent to a server?

No. Parsing and rendering happen in your browser. Remember Input and Share are disabled so the token is not written to local storage or query parameters by this page.

Why can I read the payload without a secret?

Because the payload is Base64URL-encoded JSON, not ciphertext. Confidentiality requires encryption (for example JWE) or a channel that never exposes the token.

Input
Output
Settings