JWT Decoder
Paste a token, see what's inside. Nothing leaves your browser.
Try it — sample token
Copy this JWT and paste it above to see how the decoder works:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MzQyODgwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cThis is a demo token — never paste real production tokens in untrusted tools.
JWT structure
Header
Algorithm (HS256, RS256) and token type
Payload
Claims: user ID, roles, expiration, custom data
Signature
Verifies token wasn't tampered with
Standard claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who created the token |
| sub | Subject | Who the token represents (user ID) |
| exp | Expiration | When the token expires (Unix timestamp) |
| iat | Issued At | When the token was created |
| aud | Audience | Intended recipient of the token |
FAQ
Is it safe to paste my JWT here?
Yes. All decoding happens in your browser using JavaScript. The token is never sent to any server. Open your browser's Network tab to verify — you'll see no outgoing requests when you paste a token.
Can this tool verify JWT signatures?
No. Signature verification requires the secret key (for HS256) or public key (for RS256). This tool only decodes the header and payload, which are Base64-encoded and not encrypted.
What does "exp" mean in a JWT?
The "exp" claim is the expiration time as a Unix timestamp. After this time, the token should be considered invalid. This tool automatically checks if your token is expired.
Why can I decode a JWT without the secret?
JWTs are signed, not encrypted. The header and payload are just Base64-encoded (not encrypted) so anyone can read them. The signature prevents tampering but doesn't hide the contents.