Free JWT Decoder
Decode JWT tokens and inspect header, payload, and signature instantly.
About this tool
How to use
Frequently Asked Questions
A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a JSON object. It is commonly used for authentication - after login, a server issues a JWT that the client sends with subsequent requests to prove its identity.
No. This tool only decodes the Header and Payload portions of a JWT. Verifying the signature requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA), which you should never share with a browser tool. Signature verification should be done server-side.
Yes - this tool runs entirely in your browser. Your token never leaves your device and is never sent to any server. However, be cautious with production tokens in general - if exposed, they could grant unauthorized access until they expire.
The 'exp' (expiration time) claim identifies the time after which the JWT must not be accepted. It is a Unix timestamp (seconds since January 1, 1970). This tool automatically converts it to a readable date and warns you if the token has expired.
A JWT consists of: 1) Header - contains the token type (JWT) and signing algorithm (e.g., HS256, RS256). 2) Payload - contains the claims (statements about the user and metadata). 3) Signature - ensures the token was not tampered with.
