Is my JWT sent to your server?

No — decoding happens entirely in your browser. We never see the token. This is important because JWTs frequently contain user identity claims and short-lived access tokens that should not be sent to third parties.

Does this verify the signature?

No. We deliberately don't verify because verification requires your secret or public key, and we don't want anyone to paste secrets into a web tool. Verification belongs in your application or a CLI run on a trusted machine.

Why is my token "invalid"?

A JWT must have exactly three base64url-encoded segments separated by dots. The most common causes of failure are: extra whitespace, missing the "Bearer" prefix is fine but extra characters around it are not, or the token has been truncated mid-paste.

What is exp and how do I read it?

exp is the expiration time as a Unix timestamp in seconds. The decoder converts it to a human-readable date and shows whether the token is currently expired. The same applies to iat (issued at) and nbf (not before).

Can I decode encrypted JWTs (JWE)?

No — this tool decodes signed JWTs (JWS) only, which is the dominant format used for authentication. JWE tokens are content-encrypted and require the recipient's key to read; pasting a JWE here will show its header but the payload will be unreadable ciphertext.

Files never leave your device

JWT Decoder

Paste a JWT to inspect its header and payload. Decoding stays on your machine — important for tokens that contain secrets.

JWT

How to use JWT Decoder

Paste your JWT into the input area.
The header and payload are decoded automatically as you type.
Inspect any standard claims (iss, sub, exp, iat) in the formatted payload.
Copy the decoded JSON for use in your debugger or test suite.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It's the most common format for stateless authentication on the web — when you log in, the server returns a JWT, and your client sends it on every subsequent request to prove who you are.

Anatomy

A JWT has three parts separated by dots: header.payload.signature. The header and payload are Base64url-encoded JSON. The signature is computed over the first two parts using a secret (HMAC) or private key (RSA, ECDSA). Decoding only requires Base64; verifying requires the key.

Why decoding tokens locally matters

Many JWTs include enough information to identify a user, an organization, or an internal API permission. Even an expired token still leaks identifiers. Pasting one into a server-backed tool means a third party logs your identity. This decoder runs in the browser; the token never leaves the page.