Header and Payload
Decode both parts of the token into clean, formatted JSON you can actually read.
JWT Decoder
Decode a JSON Web Token in your browser. See the header and payload, read the claim times, check the expiry, and verify the HMAC signature with your secret. Nothing is uploaded.
Guide
How to use the JWT decoder
1
Paste Your Token
Drop your JSON Web Token into the box. It decodes the moment you paste, no button needed.
2
Read the Header and Payload
See the decoded header and payload as formatted JSON, with the claim times shown in plain dates and the expiry status called out.
3
Verify the Signature
For HMAC tokens, enter the secret and check whether the signature matches, all without the token leaving your browser.
See What Is Inside a Token, Safely
A JSON Web Token packs three parts into one string: a header that names the signing algorithm, a payload of claims like who the user is and when the token expires, and a signature that proves the first two were not changed. The parts are base64url encoded, so the token looks like noise until you decode it.
That is what this tool does. Paste a token and it splits it apart, decodes the header and payload back into readable JSON, and turns the expiry and issued-at claims into plain dates so you can see at a glance whether the token is still good.
Decoding is not the same as trusting. A token is only safe to act on once you confirm the signature. For HMAC tokens you can paste the secret here and check the signature in the browser. The token and the secret never leave your device, so it is safe to inspect production tokens while you debug.
Benefits
Why Use Our JWT Decoder?
Readable Claim Times
The exp, iat, and nbf claims are shown as real dates with how long ago or until, not raw timestamps.
Signature Verification
Enter your secret to verify HS256, HS384, and HS512 signatures right in the browser.
Expiry Status
A clear badge tells you if the token is still valid, expired, or not active yet.
Color-Coded Parts
Header, payload, and signature are colored so you can see the three segments at a glance.
Never Uploaded
Decoding and verification happen on your device. Your token and secret never touch a server.
Explore More
Similar Tools
More Developer tools you might find useful.
FAQ
Frequently Asked Questions
Common questions about JWTs and decoding them.
What is a JWT?
A JSON Web Token, or JWT, is a compact string used to pass identity and claims between systems. It has three base64url-encoded parts, the header, the payload, and the signature, joined by dots.
Is it safe to paste my token here?
Yes. The token is decoded entirely in your browser with JavaScript. It is never sent to a server, logged, or stored, so even production tokens stay private.
Does decoding a JWT verify it?
No. Decoding just reveals the contents, which anyone can do, because the payload is only encoded, not encrypted. Verifying the signature is what proves the token is genuine and unchanged.
Can this tool verify the signature?
It can verify HMAC tokens, the HS256, HS384, and HS512 algorithms, when you provide the secret. Tokens signed with RS or ES algorithms need a public key, which this tool does not handle.
Why is my token marked as expired?
Each token can carry an exp claim, a timestamp for when it stops being valid. If that time is in the past, the tool flags it as expired. A new token from the issuer fixes it.
Is this JWT decoder free?
Yes, it is completely free with no signup and no limits. Decode and verify as many tokens as you need, right in your browser.