Dev Converters
Crypto

JWT Decoder

Decode a JSON Web Token (JWT) to inspect its header and payload. Shows algorithm, claims, and expiry. Signature is never verified in-browser — only decoded.

How it works

A JWT is three base64url-encoded segments joined by dots: header, payload, signature. The header declares the signing algorithm (usually HS256 or RS256), the payload carries the claims (who, what, when, for how long), and the signature proves the first two have not been tampered with. The decoder only looks at the first two — verifying the third requires the secret or public key.

This tool splits on dots, base64url-decodes each of the first two segments, and pretty-prints the JSON. It also surfaces the raw signature so you can eyeball its length (32 bytes → HS256, 256 bytes → RS256). The signature is never verified locally because that would require pasting your signing key into a web app — which is exactly the kind of mistake that leads to production incidents.

Common claims: `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expiry, Unix seconds), `iat` (issued at, Unix seconds), `nbf` (not-before). For security audits, check that your tokens have short expiries (15 min is a good baseline for access tokens) and that refresh tokens are rotated. Never store long-lived JWTs in `localStorage` if you can help it — XSS will exfiltrate them.

Frequently asked questions

Does this verify the signature?
No. Verification requires the signing secret or public key, which you should never paste into a web tool. Use your server-side JWT library to verify.
Is my token sent anywhere?
No. Decoding happens entirely in your browser using base64url decoding. Nothing leaves your device.
Why is iat showing as a number instead of a date?
iat (issued at) and exp (expiry) are Unix timestamps in seconds. Use our timestamp converter to turn them into human dates.

Related tools