What is a JWT decoder?
A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64URL-encoded parts separated by dots: a header, a payload and a signature. JWTs are widely used for authentication and authorisation — after you log in, a server issues a JWT that your browser sends with each request to prove who you are.
This decoder splits a token and Base64-decodes the header and payload so you can read the claims inside, including human-readable timestamps for issued-at (iat) and expiry (exp). Decoding happens entirely in your browser — your token is never transmitted anywhere.
Reading the claims
- —Header — the signing algorithm (alg) and token type (typ).
- —Payload — the claims, such as sub (subject), iss (issuer), aud (audience), iat (issued at) and exp (expiry).
- —exp / iat — Unix timestamps shown here in readable date form so you can tell if a token is expired.
- —Signature — present but not verified here, since verification requires the secret or public key.
Decoding is not verifying
Anyone can decode a JWT, because the header and payload are only encoded, not encrypted. That is exactly why you must never put secrets in a JWT payload. The signature is what proves the token is authentic and untampered — but verifying it requires the issuer's secret or public key, which this client-side tool does not have and does not ask for.
Use this decoder to debug and inspect tokens during development. To trust a token in production, always verify its signature and expiry on the server.