JWT decoder
Paste any JWT to decode its header and payload. Expiry and issued-at times are shown in human-readable format.
How JWT decoding works
A JSON Web Token (JWT) consists of three Base64url-encoded parts separated by dots: Header.Payload.Signature. The header contains the algorithm type (e.g., HS256, RS256). The payload contains claims — standard fields like sub (subject), iat (issued at), exp (expiry), and aud (audience), plus any custom claims added by the application. The signature is a cryptographic hash of the header and payload.
This tool decodes the header and payload by Base64url-decoding each segment and parsing the resulting JSON. The expiry timestamp (exp) is displayed as a human-readable date. Important: decoding a JWT does not verify its authenticity — the signature is not validated here, as that requires the secret key or public key from the server. A decoded JWT shows you what claims it contains; only server-side signature verification confirms those claims are trustworthy. Never trust decoded JWT claims for access control in a browser.