JWT Decoder
Last updated: 2026-06-25
The JWT decoder is a free tool that splits a JSON Web Token on its dots (.), Base64URL-decodes the header and payload, and shows them as JSON.
It does not verify the signature, and everything runs in your browser so the token is never sent to a server.
JWT input
This tool only displays the token contents; it does not verify the signature. Verify the authenticity of production tokens on the server.
Header
Payload
How to use
- Paste the token — paste a JWT in the form header.payload.signature into the input box.
- Run decode — click Decode to split the token on dots (.) and Base64URL-decode the header and payload.
- Review the result — the header and payload JSON plus the expiration (exp) and issued (iat) times are shown. The signature is not verified.
Understanding the JWT structure
A JWT (JSON Web Token) is a widely used token format for authentication and authorization. It consists of three parts separated by dots (.), each with a specific role.
| Part | Contents | Encoding |
|---|---|---|
| Header | Algorithm (alg), type (typ) | Base64URL(JSON) |
| Payload | Claims (sub, name, iat, exp, etc.) | Base64URL(JSON) |
| Signature | Signature of header and payload | Secret/public key based |
The header and payload can be decoded by anyone, so you must not put secrets in the payload — it is essentially plain JSON. To pretty-print the decoded JSON, use the JSON formatter; to view timestamps like exp and iat in other formats, use the Unix timestamp converter.
Frequently asked questions (FAQ)
Does this tool verify the JWT signature?
No. This JWT decoder only decodes the header and payload to show their contents; it does not verify the signature. Signature verification requires a secret or public key, so a token's authenticity must always be verified on the server side.
Is my token sent to a server?
No. All decoding is handled in the browser with JavaScript, and the JWT you enter is never sent to or stored on a server. Even so, it is safer to avoid pasting production access tokens into any external tool.
What is the structure of a JWT?
A JWT consists of three parts separated by dots (.): header.payload.signature. The header and payload are Base64URL-encoded JSON, and the signature is the header and payload signed with a secret key.
What are exp and iat?
exp is the token expiration time and iat is the issued time, both as Unix timestamps in seconds. This tool converts these values to human-readable dates and compares them with the current time to indicate whether the token is expired.
Related tools & guides
Last updated: 2026-06-25