How to Decode a JWT Token
- 1Paste your JWT token in the input field. A JWT looks like three Base64 strings separated by dots (xxxxx.yyyyy.zzzzz).
- 2Click "Decode" to parse the token.
- 3The decoded header and payload appear as formatted JSON. The header shows the algorithm and token type.
- 4Timestamp fields (iat, exp, nbf) are automatically converted to human-readable dates.
- 5The signature is displayed separately. Note: this tool decodes but does not verify signatures.
Features
✓Decode JWT header, payload, and signature
✓Auto-detect and format timestamp fields (iat, exp, nbf)
✓Display human-readable expiration dates
✓Formatted JSON output for easy reading
✓Clear error messages for invalid tokens
✓No server communication — your tokens stay private
✓Supports all JWT algorithms (HS256, RS256, ES256, etc.)
✓Instantly detect expired tokens
Frequently Asked Questions
What is a JWT (JSON Web Token)?▼
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are commonly used for authentication and API authorization.
Is it safe to paste my JWT here?▼
Yes. This tool runs entirely in your browser. Your JWT is never sent to any server. However, be aware that JWTs often contain sensitive information, so avoid sharing them publicly regardless of the tool you use.
Does this tool verify JWT signatures?▼
No. This tool only decodes and displays the contents of a JWT. Signature verification requires the secret key or public key, which should remain secure on your server. Use server-side libraries for signature verification.
What do iat, exp, and nbf mean?▼
These are standard JWT claims: 'iat' (Issued At) is when the token was created, 'exp' (Expiration Time) is when it expires, and 'nbf' (Not Before) is the earliest time the token is valid. All are Unix timestamps.
Can I decode any JWT?▼
You can decode any properly formatted JWT (three Base64URL-encoded segments separated by dots). The contents will be displayed regardless of the signing algorithm or whether the token is expired.