🔐JWT Decoder

How to Use

1. 1

   Paste your JWT

   Copy your JWT token and paste it into the input field.

2. 2

   Inspect the header

   The header shows the algorithm (alg) and token type (typ).

3. 3

   Read the payload

   The payload contains the claims — user data, permissions, and timestamps like iat (issued at) and exp (expiry).

4. 4

   Check expiry

   The status badge instantly shows whether the token is still valid or has expired.

FAQ

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three Base64url-encoded parts: header, payload, and signature.

Is this tool safe to use with real tokens?

Yes. All decoding happens in your browser using JavaScript's atob() function. No data is sent to any server. That said, treat JWTs like passwords — avoid pasting production tokens with sensitive claims into any online tool.

Does this tool verify the JWT signature?

No. Signature verification requires the secret key or public key used when the JWT was signed. This tool only decodes (Base64url decodes) the visible parts — it does not validate whether the token is authentic.

What is the difference between iat, exp, and nbf?

"iat" (issued at) is the Unix timestamp when the token was created. "exp" (expiry) is when the token becomes invalid. "nbf" (not before) is the earliest time the token can be used.

What is Base64url encoding?

Base64url is a variant of Base64 that uses - and _ instead of + and / and omits padding (=). It is URL-safe, which is why it is used in JWTs.