JWT (JSON Web Token) decoder online

Paste a JWT to view the decoded header and payload, plus expiry (exp). Decoding is local, nothing is sent to servers.

What it is for

The JWT decoder reads a JSON Web Token and shows the header and payload in a readable form. Paste the token and see the three dot-separated parts decoded instantly.

Each part of the JWT is encoded in Base64URL. The tool decodes these parts and displays the payload claims, such as exp, iat and sub, as formatted JSON.

It only decodes, it does not validate

This is the critical point: the tool only DECODES the token, it does NOT validate the signature or confirm that the token is authentic or trustworthy. Seeing the claims does not mean the token is valid.

Signature verification needs the secret or public key and must be done on the backend. Never trust a JWT just because you could read it here, anyone can forge a decodable token.

Common claims

  • exp: the token's expiration date, as a timestamp.
  • iat: the moment the token was issued.
  • sub: the subject identifier (usually the user).
  • iss and aud: the issuer and intended audience of the token.

Privacy

Decoding happens locally in your browser, nothing is sent to servers. You can debug development tokens safely, without exposing their content.

Frequently asked questions

Does the tool validate the token signature?
No. It only decodes the header and payload. Signature validation needs the key and must be done on the server.
If I can read the claims, is the token trustworthy?
No. Decoding is different from validating. Anyone can create a decodable token; only signature verification proves authenticity.
Is the token sent to any server?
No. Decoding happens entirely in your browser.