JWT Decoder

🔒 Runs entirely in your browser. Nothing is sent anywhere.

Paste a JWT to decode header, payload, and signature. Check expiry and claims instantly.

Test Data:

JWT structure

A JWT has three Base64URL-encoded parts separated by dots:header.payload.signature

The header identifies the signing algorithm. The payload carries claims about the user or session. The signature proves the token was issued by a trusted party.

Common claims

sub — subject (usually user ID)
iat — issued at (Unix timestamp)
exp — expiry time (Unix timestamp)
aud — intended audience
iss — token issuer

Security notes

Tokens with alg: nonecarry no signature and must never be trusted. Never log JWTs — they grant access to your users' sessions.

Privacy note: Your token is decoded entirely in your browser. Nothing is sent to any server.