What does decoding a JWT show me?

Decoding reveals the header (algorithm, token type) and the payload (claims). The signature is not verified, decoding only reads what is encoded in the token.

Is the token signature verified?

Signature verification requires the secret or public key, which is never available in a browser tool. This tool decodes the header and payload only.

How does the tool know if my token is expired?

If the payload contains an exp claim (a Unix timestamp), the tool compares it to the current time and displays the result. A token without an exp claim is treated as not having an expiry.

Is my token sent to a server?

All decoding runs in your browser using standard JavaScript. Our servers are not involved at any point. Still, treat tokens as credentials and avoid pasting production tokens on shared computers.

Decode JWT Token

Paste any JSON Web Token to decode its header and payload sections. Standard claims (exp, iat, sub, iss, aud) and any custom claims your application adds appear in a clear, readable layout. All decoding runs in your browser.

JWT token

⚠ Signature not verified, client-side only

VIEW

Runs entirely in your browser

How it works

A JWT consists of three Base64URL-encoded parts separated by dots. The tool splits the token, fixes URL-safe base64 encoding (replacing - with + and _ with /), pads to a multiple of 4 characters, then decodes with atob() and parses with JSON.parse(). All of this runs in your browser. Our servers are not involved.

Processing runs in your browser

Your JWT is decoded entirely in your browser. Our servers are not involved at any point. Treat tokens as sensitive credentials and avoid pasting production tokens in shared or public environments. You can check this yourselfin your browser's DevTools Network tab.

Technical specification

JSON Web Token (JWT) is defined in RFC 7519 (IETF, 2015). A JWT consists of three Base64url-encoded sections separated by .: header, payload, and signature. Base64url encoding is defined in RFC 4648 §5, which substitutes + with - and / with _ and omits padding, making it safe for use in URLs without percent-encoding. Signed JWTs (JWS) are specified separately in RFC 7515.

Structure: header.payload.signature (3 Base64url parts)
Standards: RFC 7519 (JWT), RFC 7515 (JWS), RFC 4648 (Base64url)
Header claims: alg (algorithm), typ (token type)
Common payload claims: sub, iss, exp, iat, aud

Related operations

To inspect the raw Base64 segments of a token, try Base64. For verifying the signing input by hash, use the hash generator. To pretty-print decoded payloads, see the JSON formatter.

Frequently asked questions

What does decoding a JWT show me?: Decoding reveals the header (algorithm, token type) and the payload (claims). The signature is not verified, decoding only reads what is encoded in the token.
Is the token signature verified?: Signature verification requires the secret or public key, which is never available in a browser tool. This tool decodes the header and payload only.
How does the tool know if my token is expired?: If the payload contains an exp claim (a Unix timestamp), the tool compares it to the current time and displays the result. A token without an exp claim is treated as not having an expiry.
Is my token sent to a server?: All decoding runs in your browser using standard JavaScript. Our servers are not involved at any point. Still, treat tokens as credentials and avoid pasting production tokens on shared computers.