Runs locally in your browser

JWT Decoder

Paste a JSON Web Token to decode the header and payload, inspect timing claims, and spot common mistakes. The token is never sent to any server.

Token

Examples
Sharing options

URL sharing is disabled by default. Use the share button below to copy a sanitized summary.

Decoded output

Paste a JWT to inspect header, claims, and expiry locally. Or pick one of the examples to the left.

How it works

A JSON Web Token (JWT) is three URL-safe base64 segments separated by periods: a header, a payload, and a signature. The header and payload are JSON. The signature is a binary blob that authenticates the first two segments.

This decoder splits the input on the periods, base64url-decodes the first two segments, and parses each as JSON. It does not verify the signature — verification needs the issuer's key, which is not safe to handle in a generic web tool. Look for the warnings below the badges if the token looks suspicious (for example, alg: none).

Privacy

Decoding happens entirely in your browser. The token is never sent to a server. Sharing is opt-in: by default the share action sanitizes the token and copies a summary, not the raw token.

Edge cases and notes

FAQ

Is the token sent anywhere?
No. The page is static and decoding is done by JavaScript running in your browser. Nothing is uploaded.
Why is the signature not verified?
Verification needs the issuer's signing key. Pasting that key into a web tool is risky. If you need verification, use a CLI such as jwt-cli or your auth provider's tools.
What does “alg: none” mean?
It declares an unsigned token. Some libraries historically accepted these without checking, which lets attackers forge tokens. This decoder warns prominently when it sees none.
How are exp and iat interpreted?
Per RFC 7519, both are seconds since the Unix epoch. They are converted to your local timezone for display.