JWT Decoder

Decode a JSON Web Token's header and payload β€” locally in your browser

Header

Payload

β€”
πŸ”’ Decoding happens entirely in your browser. The token is never uploaded or stored.

Paste a JSON Web Token and this tool splits it apart and decodes the header and payload into readable JSON, translating timestamp claims like exp and iat into real dates. It runs entirely in your browser — the token is never sent anywhere.

What is a JWT?

A JSON Web Token is a compact, URL-safe way to carry a set of claims between two parties — most commonly to prove who a logged-in user is. It has three parts separated by dots: header.payload.signature. The header and payload are just Base64url-encoded JSON (see our Base64 and URL encoding tools), and the signature is a cryptographic stamp created with a secret or private key.

When and why you'd use it

Worked examples

A token beginning eyJhbGciOiJIUzI1Ni... decodes to a header of {"alg":"HS256","typ":"JWT"} — that leading eyJ is always the Base64 of {".
A payload claim "exp": 1735689600 is shown as its calendar date, so you can see at a glance whether the token is still valid.
A payload like {"sub":"1234","name":"Ada","role":"admin"} reveals the user and their claims in plain text — proof that anyone can read a JWT.

Frequently asked questions

Does decoding a JWT verify it?

No — and this is the crucial point. Decoding just Base64-decodes the header and payload. Verifying means checking the signature with the key to confirm the token is authentic and untampered. A server must always verify; never trust a decoded payload alone.

Is a JWT encrypted?

Standard signed JWTs are not encrypted — the payload is only Base64url-encoded, so anyone holding the token can read every claim. Never put passwords or secrets in a JWT payload.

Is it safe to paste my token here?

This tool decodes locally in your browser and never transmits the token. Still, treat production tokens as sensitive — anyone who has your token can use it until it expires, so avoid pasting live tokens into tools you don't trust.

What do exp and iat mean?

iat is "issued at" and exp is "expires" — both are Unix timestamps (see our Timestamp Converter). This tool converts them to readable dates for you.

Decoding ≠ trusting. A decoded payload proves nothing on its own — a signature can be forged in the display but not validated here. Always verify the signature server-side with the correct key before acting on any claim.