Skip to content

JWT Decoder

Decode JWT headers and payloads instantly. Human-readable claim table, expiry countdown, and optional signature verification via WebCrypto. Token never uploaded.

JWT Token

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three base64url-encoded parts separated by dots: a header, a payload, and a signature. JWTs are widely used for authentication and authorisation in REST APIs, OAuth 2.0, and OpenID Connect flows.

How to decode a JWT

  1. Paste your JWT into the input box. The token is decoded instantly in your browser.
  2. View the Payload Claims tab for a human-readable claim table with timestamps converted to dates.
  3. Switch to Raw JSON to inspect the header and payload as formatted JSON.
  4. Optionally paste your HMAC secret or RSA/EC public key to verify the signature using WebCrypto — no network request is made.

Standard JWT claims explained

ClaimMeaning
expExpiration time — token must not be accepted after this time.
iatIssued at — the time the token was issued.
nbfNot before — token must not be accepted before this time.
subSubject — typically the user ID or entity the token refers to.
issIssuer — identifies the principal that issued the token.
audAudience — the recipient(s) the token is intended for.

Is it safe to paste a JWT into a website?

With this tool, yes — decoding is done entirely in your browser using JavaScript. Your token is never transmitted to any server. However, as a general rule, never paste real production JWTs into any third-party tool you do not fully control, because a valid JWT is often equivalent to a session credential.

Frequently Asked Questions

Is it safe to decode a JWT online?

With this tool, yes — decoding happens entirely in your browser using JavaScript. Your token is never sent to any server. However, avoid pasting production tokens into any online tool you do not control.

Can I verify the JWT signature?

Yes. Paste your HMAC secret or RSA/EC public key and the tool uses the browser WebCrypto API to verify the signature without any network requests.

What claims are decoded?

All standard claims are shown in a human-friendly table: exp and iat are converted to local timestamps, nbf shows the "not before" date, and sub/iss/aud are displayed clearly.

Why should I never paste JWTs into AI chatbots?

JWTs often carry authentication credentials. Pasting them into chatbots or third-party websites sends them to external servers where they could be logged or misused.