JWT Decoder
Paste any JWT token to instantly decode the header and payload sections. View all claims, check expiration time, and inspect token structure — without needing a secret key.
A JWT (JSON Web Token) has three Base64url-encoded parts separated by dots: header (algorithm), payload (claims), and signature. Decoding shows the algorithm used and all payload claims like sub, iat, exp, and any custom data — no secret key required to read them.
Paste a JWT token above to decode it
Frequently Asked Questions
Is my JWT token secure?
All decoding happens in your browser with no server communication. Never paste production tokens into untrusted tools.
Can the tool verify the signature?
No. JWT signature verification requires the secret key or public certificate. This tool only decodes the payload — it does not validate authenticity.
What is the exp claim?
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. The tool displays this as a human-readable date and shows whether the token has already expired.
Why can I read JWT claims without a secret key?
JWT payloads are Base64url-encoded, not encrypted. Anyone who has the token can read its claims. The signature only proves the token was issued by the expected party — it does not hide the contents.