JWT Decoder
Decode JSON Web Tokens and inspect claims. Your token never leaves your browser.
Token Input
JWT Decoder and Token Inspector
Paste any JWT token to instantly decode its header and payload. Standard claims like expiry, issuer, and subject are labelled automatically. The tool shows whether the token is still valid, expired, or not yet active based on your local time.
Security note: JWTs are base64-encoded, not encrypted. This decoder reads the payload without verifying the signature — never trust decoded claims in production without server-side signature verification.
Frequently Asked Questions
- Is it safe to decode my JWT here?
- Yes. The decoder runs entirely in your browser using JavaScript. Your token is never sent to any server. This tool only decodes the header and payload — it does NOT verify the signature.
- What is the difference between decoding and verifying a JWT?
- Decoding reads the header and payload from the token (they are base64-encoded, not encrypted). Verifying checks the signature against a secret key to confirm the token was issued by a trusted source. This tool decodes only.
- What does "token expired" mean?
- JWTs contain an exp claim (expiration time) as a Unix timestamp. If the current time is past that timestamp, the token is expired and should not be accepted.
- What are standard JWT claims?
- Standard claims include iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). The tool labels these automatically.