Decode JSON Web Tokens online, inspect header and payload claims, check expiry and verify supported HMAC signatures locally.
A
JWT
is three Base64URL-encoded segments joined by dots:
header.payload.signature. The
header
names the signing algorithm (alg) and token type (typ); the
payload
carries the claims — standard ones like
iss,
sub,
exp
plus any custom fields; the
signature
is computed over the first two segments so the token can't be tampered with undetected.
A JWT decoder is useful for reading authentication claims, debugging expiry, checking issuer and audience values, and confirming which algorithm a token declares. Decoding is not the same as verifying. The header and payload are merely encoded, not encrypted — anyone can read them, which is why you should never put secrets in a JWT. Only checking the signature against the issuer's key proves the token is authentic and unaltered. This tool decodes everything client-side and can verify HMAC signatures locally; the token never leaves your machine.
No. Splitting, Base64URL decoding, claim inspection and supported HMAC signature checks run in your browser. Nothing is uploaded, but avoid pasting sensitive production tokens on shared or untrusted devices.
No. Decoding only reads the header and payload. A JWT can be readable yet forged. Use the Signature panel to verify HMAC tokens against the shared secret; RSA and ECDSA tokens require the issuer public key and are not verified here.
The exp claim is a Unix timestamp in seconds. If it is in the past, the token is expired. The nbf claim means not before; if it is in the future, the token is not valid yet. The check uses your device clock.
No. The header and payload are Base64URL-encoded, not encrypted. Anyone holding the token can read those claims, so keep passwords, API keys and private personal data out of JWT payloads.