JWT Decoder
Decode JWT headers and payloads instantly. Human-readable claim table, expiry countdown, and optional signature verification via WebCrypto. Token never uploaded.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three base64url-encoded parts separated by dots: a header, a payload, and a signature. JWTs are widely used for authentication and authorisation in REST APIs, OAuth 2.0, and OpenID Connect flows.
How to decode a JWT
- Paste your JWT into the input box. The token is decoded instantly in your browser.
- View the Payload Claims tab for a human-readable claim table with timestamps converted to dates.
- Switch to Raw JSON to inspect the header and payload as formatted JSON.
- Optionally paste your HMAC secret or RSA/EC public key to verify the signature using WebCrypto — no network request is made.
Standard JWT claims explained
| Claim | Meaning |
|---|---|
| exp | Expiration time — token must not be accepted after this time. |
| iat | Issued at — the time the token was issued. |
| nbf | Not before — token must not be accepted before this time. |
| sub | Subject — typically the user ID or entity the token refers to. |
| iss | Issuer — identifies the principal that issued the token. |
| aud | Audience — the recipient(s) the token is intended for. |
Is it safe to paste a JWT into a website?
With this tool, yes — decoding is done entirely in your browser using JavaScript. Your token is never transmitted to any server. However, as a general rule, never paste real production JWTs into any third-party tool you do not fully control, because a valid JWT is often equivalent to a session credential.
Frequently Asked Questions
Is it safe to decode a JWT online?
With this tool, yes — decoding happens entirely in your browser using JavaScript. Your token is never sent to any server. However, avoid pasting production tokens into any online tool you do not control.
Can I verify the JWT signature?
Yes. Paste your HMAC secret or RSA/EC public key and the tool uses the browser WebCrypto API to verify the signature without any network requests.
What claims are decoded?
All standard claims are shown in a human-friendly table: exp and iat are converted to local timestamps, nbf shows the "not before" date, and sub/iss/aud are displayed clearly.
Why should I never paste JWTs into AI chatbots?
JWTs often carry authentication credentials. Pasting them into chatbots or third-party websites sends them to external servers where they could be logged or misused.