Decode a JSON Web Token's header and payload β locally in your browser
β
β
Paste a JSON Web Token and this tool splits it apart and decodes the header and payload into readable JSON, translating timestamp claims like exp and iat into real dates. It runs entirely in your browser — the token is never sent anywhere.
A JSON Web Token is a compact, URL-safe way to carry a set of claims between two parties — most commonly to prove who a logged-in user is. It has three parts separated by dots: header.payload.signature. The header and payload are just Base64url-encoded JSON (see our Base64 and URL encoding tools), and the signature is a cryptographic stamp created with a secret or private key.
HS256, RS256).sub), who issued it (iss), when it expires (exp), and any custom data.exp/iat as human dates to explain a "401 / token expired" error.eyJ is always the Base64 of {".No — and this is the crucial point. Decoding just Base64-decodes the header and payload. Verifying means checking the signature with the key to confirm the token is authentic and untampered. A server must always verify; never trust a decoded payload alone.
Standard signed JWTs are not encrypted — the payload is only Base64url-encoded, so anyone holding the token can read every claim. Never put passwords or secrets in a JWT payload.
This tool decodes locally in your browser and never transmits the token. Still, treat production tokens as sensitive — anyone who has your token can use it until it expires, so avoid pasting live tokens into tools you don't trust.
iat is "issued at" and exp is "expires" — both are Unix timestamps (see our Timestamp Converter). This tool converts them to readable dates for you.