Decode & Inspect JWTs Instantly
View header, payload, all claims, expiry status, and algorithm — without leaving your browser.
Decoding runs entirely in your browser. Your token is never sent to any server.
How JWT tokens work
A JWT has three parts: header, payload, and signature, each Base64url-encoded and joined by dots. The header declares the signing algorithm; the payload carries claims (data); the signature ensures the token was not tampered with.
The payload is not encrypted — it is only encoded. Anyone who has the token can read the claims. Sensitive data should never be placed in a JWT payload unless the token itself is encrypted (JWE).
Frequently asked questions
A JSON Web Token (JWT) is a compact, URL-safe token used to securely represent claims between two parties. It consists of three Base64url-encoded parts separated by dots: a header (algorithm), a payload (claims), and a signature.
Decoding only reads the unencrypted header and payload — it does not expose the secret signing key, which stays on your server. However, if your payload contains sensitive data, avoid pasting production tokens into any online tool. This tool runs entirely client-side with no server logging.
No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/EC algorithms), which should never be shared with a client-side tool. This tool decodes the payload for inspection only.
The JWT payload contains an exp claim — a Unix timestamp representing the expiry time. If the current time is past that timestamp, the token is considered expired and will be rejected by your API server.
Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims can be anything your application needs.
Related Tools
More browser-based utilities you might find useful.