JWT Decoder
Paste a JSON Web Token to read its header and payload as formatted JSON, with exp, iat and nbf shown as readable dates. Decoding happens in your browser and the signature is never verified.
How to decode a JWT
- Paste your JSON Web Token into the box.
- Read the decoded header and payload, with any time claims shown as dates.
- Copy the header or payload JSON you need.
Examples
Standard HS256 token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{"alg":"HS256","typ":"JWT"} / {"sub":"1234567890","name":"John Doe","iat":1516239022}Frequently asked questions
What is a JWT?
A JSON Web Token is a compact, URL-safe token with three base64url parts separated by dots: a header, a payload of claims, and a signature. It is widely used to carry login and authorization data between a server and a client.
Is decoding a JWT the same as verifying it?
No. This tool only decodes the header and payload so you can read them. It does not check the signature, the algorithm or the key, so a decoded token must never be trusted as authentic. Use a JWT library with the signing key to verify.
Is it safe to paste my token here?
The token is decoded entirely in your browser and is never sent to a server. Still, a JWT can carry sensitive data, so avoid pasting production or long-lived tokens into any online tool you do not control.
What do exp, iat and nbf mean?
They are standard time claims in seconds since 1970 (the Unix epoch): iat is when the token was issued, exp is when it expires, and nbf is the time before which it should not be accepted. This tool shows each one as a readable UTC date.
Why is the payload not encrypted?
A standard signed JWT is encoded, not encrypted. Anyone holding the token can base64url-decode the payload and read every claim, so never put secrets such as passwords in it.
Does it work with RS256 and other algorithms?
Yes. Decoding only reads the base64url parts, so it works for any algorithm including HS256, RS256 and ES256. The algorithm appears in the header as the alg field.
Learn more
- JWT structure explained: header, payload, signature
What each part of a JSON Web Token contains, how the parts are encoded, and which claims are standard.
Related tools
Base64 Decode
Decode Base64 to plain text online. Paste a Base64 or base64url string and get instant UTF-8 output. Free, fast and runs in your browser.
Base64 Encode
Encode text to Base64 online. UTF-8 safe, handles emoji and accents, with an optional URL-safe (base64url) mode. Runs in your browser, nothing uploaded.
.env to JSON
Convert a .env file to JSON, or JSON back to .env. Parses KEY=value lines, comments, quotes and export. Runs entirely in your browser.
Aspect Ratio Calculator
Calculate aspect ratios fast. Enter a ratio like 16:9 and one dimension to get the other, or enter width and height to simplify the ratio.
Base58 Encoder
Encode and decode Base58 online with the Bitcoin alphabet. Convert text to Base58 or back, UTF-8 safe, no confusing 0 O I l. Runs in your browser.
Basic Auth Generator
Generate an HTTP Basic Authorization header from a username and password. Get the base64 value, header line and ready curl commands. Runs in your browser.