Decode a JSON Web Token to read its header, payload, and claims. Everything is decoded locally in your browser — your token is never sent anywhere.
A JSON Web Token is three Base64URL-encoded parts joined by dots:
header.payload.signature. The header says which algorithm signed it, the
payload carries the claims (who the token is for, when it expires), and the signature lets
a server verify the first two parts weren’t tampered with. This tool decodes the
header and payload so you can read them — decoding is not the same as verifying.
iss — issuer, who created the token.sub — subject, usually the user ID.aud — audience, who the token is meant for.exp — expiry (Unix seconds); after this the token is invalid.iat — issued-at; nbf — not-valid-before.This decoder humanizes exp, iat, and nbf into readable dates and flags an expired token.
The payload is only encoded, not encrypted. Anyone holding the token can read every claim — exactly like this page does. Never put secrets in a JWT payload, and never trust a token without verifying its signature on the server. This tool deliberately does not ask for your signing secret: it decodes locally and never transmits your token.
No. Verifying requires your secret or public key, which should stay on your server. This tool only decodes the readable header and payload — the safe, common need when debugging.
Never. All decoding is JavaScript running on this page, so your token stays in your browser and the tool works offline.
The exp claim is in the past relative to your device clock. An expired token will be rejected by a correctly configured server.
Working with the JSON inside a token? Generate types with JSON → TypeScript. Scheduling token refreshes? Build the timing with the cron generator.