Developer

JWT Decoder

Paste a JSON Web Token to split it into header, payload, and signature. Timestamps like exp and iat are formatted into readable dates, and the claim table shows every field at a glance. Runs entirely in your browser.

JWT token

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It's three base64url-encoded segments joined by dots: a header that names the signing algorithm, a payload that carries the claims, and a signature that proves the token was issued by someone holding the signing key. JWTs are the default format for OAuth 2.0 access tokens, OpenID Connect ID tokens, and most stateless session systems. This decoder splits the token and shows the raw JSON for each segment — it does not verify the signature, because that would require the issuer's secret or public key.

How to use the JWT decoder

1
Paste your token
Copy a JWT from an Authorization header, a debug log, or a URL. It should look like eyJ...eyJ...signature with three segments.
2
Review the header and payload
The header shows the algorithm (alg) and token type (typ). The payload lists every claim — sub, iss, aud, exp, iat, and any custom fields.
3
Check expiry at a glance
The validity banners tell you immediately if the token is expired, active, or not yet valid (nbf). Time claims are shown in both UTC and relative form.
4
Copy individual sections
Use the copy button on the header or payload panel to grab clean JSON for debugging, sharing, or pasting into another tool.

JWT anatomy

A JWT has three base64url segments joined by dots:
 
    header.payload.signature
 
Header  — JSON describing the signing algorithm
          { "alg": "HS256", "typ": "JWT" }
 
Payload — JSON carrying the claims
          { "sub": "1234", "exp": 1700000000 }
 
Signature — HMAC or RSA over header.payload, base64url-encoded
 
Standard time claims (seconds since epoch):
  exp  = expiration time
  iat  = issued at
  nbf  = not before

The header and payload are plain JSON that anyone can read — base64url is encoding, not encryption. The signature is what makes the token trustworthy: it's computed by the issuer using a secret key (for HS* algorithms) or a private key (for RS*/ES* algorithms) over the first two segments. A server that receives the token recomputes the signature with the matching secret or public key and rejects anything that doesn't match. That's why you should never put sensitive data like passwords in a payload, and why this tool only decodes — verifying requires the issuer's key.

Reference: RFC 7519 — JSON Web Token (JWT)

Examples

Input	Output
Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9	{ "alg": "HS256", "typ": "JWT" } Minimal header for an HMAC-SHA256 token.
Payload with exp claim	{ "sub": "1234", "exp": 1700000000 } exp is seconds since epoch — 2023-11-14 in UTC.
Expired token	Token expired · Expires 2024-01-01 (3 months ago) The validity banner flips red when exp is in the past.
Malformed token (only two segments)	Invalid token: expected 3 segments, got 2 A JWT must have exactly three dots-separated base64url parts.

Common use cases

Debug an OAuth access token to see which scopes and audience it carries
Check whether a failing request is due to an expired token
Inspect an OpenID Connect ID token to read user claims like sub and email
Decode a magic-link or password-reset token to confirm the signed payload
Verify that the correct issuer (iss) and audience (aud) are set on a token
Read the kid header to figure out which signing key was used
Compare two tokens side by side when investigating a session bug
Teach teammates how JWTs are structured without writing any code

Related tools

JSON Formatter

Format, validate, and minify JSON with precise error line and column reporting.

Base64 Encoder

Encode and decode Base64 text with optional URL-safe variant and UTF-8 support.

Unix Timestamp Converter

Convert between epoch numbers and dates with auto-detect for seconds vs milliseconds.

Age Calculator

Calculate your exact age in years, months, and days from any date of birth.

Frequently asked questions

Does this tool verify the signature?

No. Verifying a signature requires the issuer's secret (for HMAC algorithms) or public key (for RSA and ECDSA). This tool only decodes the header and payload so you can read them. Treat any token you decode here as untrusted until your backend validates the signature against the issuer's key.

Is it safe to paste a real JWT here?

Everything runs in your browser — the token is never uploaded, stored, or logged. That said, an access token in your hands is as powerful as a password: if your browser has extensions that read page contents, they could theoretically see it. For paranoid debugging, use a fresh private window or decode offline.

Why is the signature shown as bytes instead of text?

The signature is a raw binary blob — typically 32 bytes for HS256, 256 bytes for RS256. It's base64url-encoded in the token but the decoded form isn't human-readable, so the tool reports the byte count instead of trying to display garbled characters.

What's the difference between exp, iat, and nbf?

They're the three standard time claims from RFC 7519. exp is the expiration time — after this moment the token is invalid. iat is the issued-at time — when the token was created. nbf is not-before — the earliest time the token may be used. All three are measured in seconds since the Unix epoch.

My timestamps look way off — are they wrong?

JWTs use seconds since epoch, not milliseconds. This tool auto-detects the unit by checking whether the value is above 10^12 (treated as milliseconds). If you have a non-standard claim storing a timestamp under a different name, it's displayed as a raw number rather than a date.

Why does decoding fail with "not valid base64url"?

The segment contains characters outside the base64url alphabet (A-Z a-z 0-9 - _) or is missing padding. Copy-pasting from email clients or chat apps can silently introduce whitespace or smart quotes. Try copying the token from a fresh source like browser dev tools.

Can I decode an encrypted JWT (JWE)?

No. This tool decodes signed JWTs (JWS). A JWE token has five segments instead of three and its payload is encrypted rather than just encoded — you need the recipient's private key to read it. A regular JWS token with an encrypted claim (like Auth0's opaque tokens) also won't decode into readable JSON.

Do I need the URL-safe Base64 option?

JWT segments are always base64url-encoded, so the tool handles it automatically — no option needed. If you need to encode or decode arbitrary base64url text outside a JWT, use the separate Base64 encoder with the URL-safe checkbox enabled.

Last updated 2026-04-21

What is a JWT?

How to use the JWT decoder

Paste your token

Copy a JWT from an Authorization header, a debug log, or a URL. It should look like eyJ...eyJ...signature with three segments.

Review the header and payload

The header shows the algorithm (alg) and token type (typ). The payload lists every claim — sub, iss, aud, exp, iat, and any custom fields.

Check expiry at a glance

The validity banners tell you immediately if the token is expired, active, or not yet valid (nbf). Time claims are shown in both UTC and relative form.

Copy individual sections

Use the copy button on the header or payload panel to grab clean JSON for debugging, sharing, or pasting into another tool.

JWT anatomy

A JWT has three base64url segments joined by dots:
 
    header.payload.signature
 
Header  — JSON describing the signing algorithm
          { "alg": "HS256", "typ": "JWT" }
 
Payload — JSON carrying the claims
          { "sub": "1234", "exp": 1700000000 }
 
Signature — HMAC or RSA over header.payload, base64url-encoded
 
Standard time claims (seconds since epoch):
  exp  = expiration time
  iat  = issued at
  nbf  = not before

Examples

Input	Output
Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9	{ "alg": "HS256", "typ": "JWT" } Minimal header for an HMAC-SHA256 token.
Payload with exp claim	{ "sub": "1234", "exp": 1700000000 } exp is seconds since epoch — 2023-11-14 in UTC.
Expired token	Token expired · Expires 2024-01-01 (3 months ago) The validity banner flips red when exp is in the past.
Malformed token (only two segments)	Invalid token: expected 3 segments, got 2 A JWT must have exactly three dots-separated base64url parts.

Common use cases

Debug an OAuth access token to see which scopes and audience it carries

Check whether a failing request is due to an expired token

Inspect an OpenID Connect ID token to read user claims like sub and email

Decode a magic-link or password-reset token to confirm the signed payload

Verify that the correct issuer (iss) and audience (aud) are set on a token

Read the kid header to figure out which signing key was used

Compare two tokens side by side when investigating a session bug

Teach teammates how JWTs are structured without writing any code