JWT Decoder
Decode and inspect JSON Web Tokens without signature verification.
This tool only decodes the token. It does not verify signatures.
This tool is for informational and educational purposes only. It is not a substitute for professional financial, medical, legal, or engineering advice. See Terms of Service.
Can't find what you need?
Request a ToolHow to Use the JWT Decoder
JSON Web Tokens (JWTs) are a compact way to transmit information between parties as a JSON object. This tool lets you inspect the contents of any JWT without needing to install libraries or write code. Here is how to use it:
- Paste your JWT. Copy a JWT token from your application, API response, browser storage, or authentication header and paste it into the input field. The token should start with "eyJ" (the base64url encoding of the opening characters of a JSON object).
- View the decoded parts. The tool instantly decodes the token into three sections: the header (which contains the algorithm and token type), the payload (which contains the claims and data), and the signature (shown as a hex string).
- Check expiration. If the payload contains an "exp" claim, the tool shows whether the token is expired and displays both the issued-at and expiration dates in a readable format.
- Copy or share. Use Copy Payload to copy the decoded payload JSON to your clipboard. Use Share to generate a link with the token pre-filled.
This decoder runs entirely in your browser. No data is sent to any server. However, you should still be cautious about pasting production tokens containing sensitive data into any web tool.
About JSON Web Tokens
A JWT consists of three base64url-encoded parts separated by dots: header, payload, and signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains claims, which are statements about the user or entity, such as user ID, email, roles, and token expiration time. The signature is used to verify the token has not been tampered with.
This tool decodes the header and payload by base64url-decoding them and parsing the resulting JSON. It does not verify the signature because that requires the signing key or public key, which this client-side tool does not have. To verify signatures, use a server-side library like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).
Frequently Asked Questions
Does this tool verify the JWT signature?
No. This tool only decodes the header and payload. Signature verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA), which this browser-based tool does not have. Use a server-side library to verify signatures in your application.
Is it safe to paste my JWT here?
This tool runs entirely in your browser. No data is sent to any server. However, JWTs often contain personal information (user IDs, emails, roles) and should be treated as sensitive. Avoid pasting production tokens containing real user data into any online tool. Use test or development tokens when possible.
What does "exp" mean in a JWT?
The "exp" claim is the expiration time of the token, stored as a Unix timestamp (seconds since January 1, 1970). If the current time is past the "exp" value, the token is expired and should not be accepted. This tool checks the exp claim and displays whether the token is currently expired.
Why does my JWT start with "eyJ"?
The letters "eyJ" are the base64url encoding of the opening brace and quote that start every JSON object. Since both the JWT header and payload are JSON objects, the first part of the token always starts with "eyJ". This is a quick way to recognize a JWT at a glance.