JWT Decoder

How to Decode a JWT Token

A JWT (JSON Web Token) has three parts separated by dots: header, payload and signature. Paste a token below to read the header and payload in plain JSON — entirely in your browser.

Decode a JWT

Paste a JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Issued (iat): Thu, 18 Jan 2018 01:30:22 GMT

Decoding only — the signature is notverified. Never paste production tokens you don't want exposed. Everything stays in your browser.

Steps to decode a JWT

Copy your JWT (it looks like xxxxx.yyyyy.zzzzz).
Paste it into the decoder above.
Read the decoded header and payload, including claims like exp and iat.

Important: decoding is not verifying

The header and payload of a JWT are only Base64URL-encoded, not encrypted, so anyone can read them. Decoding shows you the contents but does not check the signature — never trust a token's claims without verifying its signature on your server with the secret or public key.

Because this tool runs locally in your browser, your token isn't sent anywhere. Still, treat real tokens as secrets and avoid pasting production tokens into any online tool you don't control.

Frequently asked questions

Can I see when a JWT expires?

Yes. The payload usually includes an exp claim (a Unix timestamp) for expiry and iat for when it was issued. The decoder shows these in the payload.

Does decoding a JWT reveal the secret?

No. Decoding only reveals the header and payload. The signing secret or private key is never part of the token and cannot be recovered from it.