JWT Decoder

Runs entirely in your browser · Nothing is sent to our servers

Paste a JWT to decode header, payload, and signature. Check expiry and claims instantly.

Test Data:

How it works

JWT structure

A JWT has three Base64URL-encoded parts separated by dots:header.payload.signature

The header identifies the signing algorithm. The payload carries claims about the user or session. The signature proves the token was issued by a trusted party.

Common claims

sub — subject (usually user ID)
iat — issued at (Unix timestamp)
exp — expiry time (Unix timestamp)
aud — intended audience
iss — token issuer

Security notes

Tokens with alg: nonecarry no signature and must never be trusted. Never log JWTs — they grant access to your users' sessions.

Privacy note: Your token is decoded entirely in your browser. Nothing is sent to any server.

How it works▾

JWT structure

A JWT has three Base64URL-encoded parts separated by dots:header.payload.signature

The header identifies the signing algorithm. The payload carries claims about the user or session. The signature proves the token was issued by a trusted party.

Common claims

sub — subject (usually user ID)
iat — issued at (Unix timestamp)
exp — expiry time (Unix timestamp)
aud — intended audience
iss — token issuer

Security notes

Tokens with alg: nonecarry no signature and must never be trusted. Never log JWTs — they grant access to your users' sessions.

Privacy note: Your token is decoded entirely in your browser. Nothing is sent to any server.

Use with

Continue with related tools.

Hash GeneratorSHA-1, SHA-256, SHA-384, SHA-512 hashes from text or file. Browser-only.HMAC GeneratorGenerate HMAC-SHA256 or HMAC-SHA512 signatures with a secret key.Base64 Encoder / DecoderEncode or decode Base64 strings instantly. Supports URL-safe mode.