Does decoding a JWT verify the signature?

No. Decoding only reads the header and payload — it does not verify the signature. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) used to sign the token, which this browser tool does not have. Never trust the claims in a decoded payload without server-side signature verification using the appropriate key.

Is it safe to paste my JWT here?

All decoding runs entirely in your browser — your JWT is never sent to a server or logged. However, JWTs can contain sensitive user claims (IDs, emails, roles). Avoid pasting production access tokens into any browser tool. Use test tokens or tokens already expired. For debugging, redact or mask the signature section before pasting.

What does "exp" mean in a JWT?

`exp` (expiry) is a standard JWT claim defined as a Unix timestamp — the number of seconds since 1970-01-01 00:00:00 UTC — after which the token must be rejected. This tool converts `exp` to a human-readable date and time and shows whether the token is currently valid, expired, or about to expire. The `iat` claim marks when the token was issued.

What is the difference between the JWT header, payload, and signature?

The header declares the signing algorithm (alg) and token type (typ). The payload carries the claims — data about the user and the token such as sub, iss, aud, exp, and iat. The signature is a cryptographic hash of the encoded header and payload, computed with a secret or private key, that lets a server confirm the token was not tampered with.

Why is my JWT invalid or failing to decode?

Common causes: the token is missing one of its three dot-separated parts, a Bearer prefix or quotes were copied along with the token, the string is truncated, or extra whitespace was introduced. Paste only the raw token — no "Bearer " prefix, no surrounding quotes, no line breaks. A valid JWT always contains exactly two dots.

What JWT algorithms does this tool support?

The decoder displays the algorithm declared in the token header — HS256, HS384, HS512 (HMAC-SHA family), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256 (RSASSA-PSS). It does not verify signatures for any algorithm since verification requires the signing key. The algorithm display helps identify which signing method your authentication server is configured to use.

developer

Free JWT Decoder — Inspect JSON Web Token Claims Instantly

A JSON Web Token (JWT) is a three-part Base64-encoded string separated by dots: header, payload, and signature. This tool decodes all three parts and displays them as readable JSON — showing the algorithm, token claims (sub, iss, exp, iat), and expiry status. Your token is never sent to any server.

Free — No SignupRuns in BrowserData Never UploadedPopular tool

developer

Decode and inspect JSON Web Token header, payload, and signature.

Decode JWT header and payload as readable formatted JSON
Surfaces all standard claims — sub, iss, aud, exp, iat, nbf — plus custom claims
Converts exp and iat Unix timestamps to human-readable dates
Flags whether the token is currently valid, expired, or not yet active
Displays the signing algorithm (HS256, RS256, ES256, etc.) from the header
Token never leaves your browser — fully private, no server calls

Features

Everything you need in one JWT Decoder

JWT decoder

Splits the token on its dots and decodes each Base64URL segment, rendering the header and payload as clean, readable JSON — no database lookup required.

Claims inspector

Surfaces standard claims — sub, iss, aud, exp, iat, nbf — plus any custom claims your application adds to the payload, all formatted for easy reading.

Expiry checker

Converts the exp and iat Unix timestamps to human-readable dates and clearly flags whether the token is still valid, expired, or not yet active (nbf).

Algorithm viewer

Reads the alg field from the header so you can confirm whether the token is signed with HS256, RS256, ES256, or another algorithm without leaving your browser.

How It Works

How to use JWT Decoder

Paste your JWT

Paste the full JWT token (including all three dot-separated parts) into the input field.

Inspect decoded output

The header and payload are decoded and formatted as JSON. Expiry time is shown in human-readable format.

Check validity and claims

See if the token is expired, what algorithm was used, and all claims present in the payload.

Format Comparison

Anatomy of a JSON Web Token — what each part contains

Part	Contains	Common fields
Header	Token type and signing algorithm	alg, typ, kid
Payload	Claims — data about the user and token	sub, iss, aud, exp, iat, nbf
Signature	Cryptographic hash of header + payload	HMAC-SHA256 or RSA / ECDSA signature

Troubleshooting

How to fix common syntax errors

Most “invalid JSON” failures come from a small set of mistakes. Paste the failing JSON above, click Validate, and the tool points you at the exact line and column.

Invalid JWT — wrong number of partsheader.payload (missing signature)

A valid JWT must have exactly three dot-separated segments. Check for truncation or accidental deletion of the signature portion.

Bearer prefix copied with token"Bearer eyJhbGc..."

Remove the "Bearer " prefix before pasting. Paste only the raw token starting with "eyJ" — no surrounding quotes, no keyword prefix.

Could not decode header or payloadnon-Base64URL characters

The segment is corrupted, truncated, or contains invalid characters. Verify you copied the complete token from the source without modification.

Token expiredexp timestamp in the past

The exp claim has passed. Request a fresh token from your authorization server. Check your server clock if tokens expire unexpectedly fast.

Trusting claims without signature verificationdecode-only in production

Decoding reveals the payload but does not prove the token is authentic. Always verify the signature server-side using the appropriate secret or public key before trusting any claim.

Sensitive data in JWT payloadpassword or API key in claims

JWT payloads are Base64URL-encoded — anyone holding the token can decode them instantly. Never put secrets, passwords, or private keys in the payload. Use opaque tokens or encryption if confidentiality is required.

FAQ

Frequently asked questions

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519, consisting of three dot-separated Base64-encoded parts: header (algorithm and token type), payload (claims such as user ID, expiry, and issuer), and signature. JWTs are the dominant format for stateless authentication in REST APIs and single-page applications — readable without a database lookup.

Related Tools

You might also need

Base64 Encoder / Decoder

Encode and decode Base64 strings instantly in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly in your browser.

Strong Password Generator

Generate cryptographically secure passwords instantly.

Regex Tester

Test regular expressions against strings with live match highlighting.

SQL Formatter

Format and beautify SQL queries with consistent indentation and keyword casing.

Cron Expression Builder

Build cron schedules visually and get the expression + plain-English explanation.

.env File Generator

Generate a boilerplate .env file for Laravel, Next.js, Node.js, or Docker.

.htaccess Generator

Generate Apache .htaccess rules for redirects, HTTPS, caching, and security headers.

References

Need this built into your product?

We design and build custom software — SaaS platforms, MVPs, AI agents, and web apps.

Let's talk

Custom SaaS Development

End-to-end SaaS — API, auth, billing, dashboard, deployment.

MVP Development

Working product in 6–8 weeks. Fixed price, committed timeline.

AI Agent Development

Custom AI agents and workflow automation for your stack.

Web App Development

Full-stack web apps built with modern frameworks and best practices.

Have a project in mind?

We turn ideas into production-ready software — SaaS, web apps, mobile, and AI agents. Fixed price. Committed timeline. No surprises.