π JWT Decoder
Paste your JSON Web Token to instantly decode the header, payload and signature. Dates become readable and expiry is checked β everything runs in your browser.
What is a JWT Decoder?
A JWT decoder is a developer tool that splits a JSON Web Token into its three parts β header, payload and signature β and displays them as readable JSON. Tokens are widely used to carry authentication and authorization information between applications. When you are debugging and need to quickly see which claims a token contains, who the user is, or when the token expires, this tool makes the job effortless. All decoding happens in your browser; the token you paste is never sent to any server.
How is a JWT structured?
A JWT has the form header.payload.signature, three parts separated by dots. The header contains the signing algorithm (for example HS256 or RS256) and the token type. The payload carries application-specific data and standard claims (sub, iss, aud, exp, iat, nbf). The signature is the header and payload signed with a secret key, used server-side to confirm the token has not been tampered with. The header and payload are Base64Url-encoded, which means they are encoded β not encrypted β and can be decoded by anyone.
How to use it
- Paste your JWT (it usually starts with
eyJ) into the box above, or use the Paste button. - The header and payload are decoded instantly into separate panels; use the Copy buttons to grab each one on its own.
- If
exp,iatandnbfare present, they are converted to readable dates and the token is marked green (valid) or red (expired).
Example
Suppose you see "exp": 1716239022 in the payload. That value is a Unix timestamp (seconds since 1 January 1970), and the tool converts it to your local date and time. If that moment is in the past, the token is flagged as expired; if it is in the future and nbf is in the past, the token is inside its valid window.
Tips and security
- Signature verification is separate: decoding does not prove a token is genuine. In production, always verify the signature server-side with the secret or public key.
- The payload is not encrypted: never put sensitive data (passwords, card numbers) in a JWT payload β anyone can decode it.
- Be careful with live tokens: decoding a real session token does not expose it, but avoid sharing it β whoever holds the token can make requests as you.
Frequently Asked Questions
Does this JWT decoder verify the signature?
No. This tool only decodes the token. Verifying the signature requires the secret or public key on the server, so signature validity is not checked here. Always verify server-side before trusting the contents.
Is my token sent to a server?
No. Decoding happens entirely in your browser. The JWT you paste is never uploaded or stored.
What do exp, iat and nbf mean?
exp is the expiry time, iat is when the token was issued, and nbf is when it starts being valid. All are Unix timestamps in seconds; the tool converts them to readable dates and compares them with the current time.
What is a JWT and what are its parts?
A JWT has three dot-separated parts: header (algorithm and type), payload (claims) and signature. The header and payload are Base64Url-encoded JSON; this tool decodes them and shows the signature in raw form.