Does this verify the signature?

No — this tool only decodes the header and payload. It does not verify HS256, RS256, or ES256 signatures.

Is my token sent anywhere?

No. Decoding is base64 + JSON.parse, all in JavaScript. Your token never leaves the page. We have no server.

Can I paste with a 'Bearer ' prefix?

Yes — the prefix is stripped automatically.

What about expired tokens?

They still decode. The status badge says "expired" and the Expires row shows the date so you can spot when it lapsed.

My token uses unusual claims — will they show up?

All claims are shown in the Payload pane. Standard registered claims (iss / sub / aud / exp / iat / nbf / jti) also get a friendly label below.

JWT Decoder

Paste a JWT to inspect its header, payload, and expiry. Runs entirely in your browser — your token never leaves the page.

JWT

Decoded

Paste your token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Signature

SflKxwRJSMeK…

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Subject (sub): 1234567890
Issued (iat): Thu, 18 Jan 2018 01:30:22 GMT

What is a JWT?

A JSON Web Token is a compact, URL-safe means of representing claims between two parties. It’s three base64url-encoded parts joined by dots: header, payload, and signature.

The header and payload are just JSON — you can decode them with any JSON parser. The signature is opaque bytes derived from a secret or key, used by the receiver to verify the token wasn’t tampered with.

When do you need to decode one?

You’re debugging an auth flow and the API keeps returning 401.
You want to know when a token expires.
You want to read the user identity (the sub claim) out of a session token.
You’re inspecting tokens issued by a third-party identity provider.

Privacy promise

Decoding happens entirely in your browser. Nothing is sent to a server, ever. There’s no analytics on this page that captures the token. Close the tab and the token is gone.

Frequently asked questions.

Does this verify the signature?: No — this tool only decodes the header and payload. It does not verify HS256, RS256, or ES256 signatures.
Is my token sent anywhere?: No. Decoding is base64 + JSON.parse, all in JavaScript. Your token never leaves the page. We have no server.
Can I paste with a 'Bearer ' prefix?: Yes — the prefix is stripped automatically.
What about expired tokens?: They still decode. The status badge says "expired" and the Expires row shows the date so you can spot when it lapsed.
My token uses unusual claims — will they show up?: All claims are shown in the Payload pane. Standard registered claims (iss / sub / aud / exp / iat / nbf / jti) also get a friendly label below.

JWT Decoder

What is a JWT?

When do you need to decode one?

Privacy promise

Frequently asked questions.

More JSON tools.