A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts — header, payload, and signature — separated by dots.

How do I decode a JWT token?

Paste your JWT into the input field and click "Decode JWT". The tool splits the token by dots, Base64URL-decodes each part, and displays the header and payload as formatted JSON.

Is the JWT signature verified?

No. This tool only decodes the header and payload — it does not verify the signature. Signature verification requires the secret key or public key and must be done server-side.

Is it safe to paste my JWT here?

Yes. This tool runs entirely in your browser — no data is sent to any server. Your token never leaves your device.

What are the exp, iat, and nbf claims in a JWT?

These are registered JWT claims: "exp" (expiration time) defines when the token expires, "iat" (issued at) records when it was issued, and "nbf" (not before) defines when the token becomes valid. All are Unix timestamps.

Free Tool

JWT Decoder

Decode a JSON Web Token — view the header, payload, and time claims (iss, exp, iat, nbf). No signature verification.

Paste Your JWT Token

Note: This tool only decodes the header and payload — it does not verify the signature. Never trust a JWT's claims without server-side signature verification.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format. It has three parts separated by dots: Header (algorithm), Payload (claims), and Signature. The header and payload are Base64url-encoded JSON.

Signature verification

This tool decodes the header and payload only. It does not verify the signature. In production, always verify the JWT signature server-side using the issuer's public key or shared secret.

How to use

Paste a JWT (the three-part dotted string) into the input.
Click Decode JWT.
The header, payload, and time claims are displayed. Copy any section as formatted JSON.

Decoding runs entirely in your browser using Base64url decoding — nothing is sent to any server.

Frequently Asked Questions

Does this verify the JWT signature?: No. This tool only decodes — it does not verify. Never trust a JWT's claims in production without server-side signature verification.
What is the exp claim?: The exp (expiration time) claim is a Unix timestamp indicating when the token expires. This tool shows it as a human-readable date.

Related Tools

JWT Encoder

Generate signed JSON Web Tokens with HS256, HS384, or HS512

Epoch

Unix timestamp converter and date utility

Base64

Encode & decode Base64 strings instantly