Toolverse

JWT Decoder

Paste a JSON Web Token to read its header and payload as formatted JSON. Timestamp claims are shown as readable UTC dates. Decoding happens in your browser.

This tool only decodes the token — it does NOT verify the signature. Never trust a decoded token as proof of authentication.

Timestamp claims (UTC)

iat
2018-01-18T01:30:22.000Z

How to use it

Paste a JSON Web Token into the box. A JWT is three base64url segments joined by dots — header, payload, and signature, in that order. The tool splits the token on the dots and base64url-decodes the first two segments into readable, formatted JSON so you can inspect them side by side. The header describes how the token was produced: the signing algorithm, such as HS256 or RS256, and the token type. The payload carries the claims — the actual statements the token makes. A token for a signed-in user typically names a subject (who the token is about), an issuer (who minted it), and an expiry, alongside any custom claims the application added. Timestamp claims are the ones people misread most. The standard time claims — iat (issued at), exp (expires), and nbf (not before) — are stored as seconds since the Unix epoch, which is unreadable at a glance. The tool converts each of them to a formatted UTC date, so you can immediately see whether a token has already expired or is not yet valid. Decoding is not verification, and the difference matters. Anyone who has a JWT can read its header and payload, because those parts are only encoded, not encrypted. Only the signature — checked against the signing key — proves the token is authentic and untampered. This tool deliberately reads only; never trust a decoded token's claims for a security decision without verifying the signature on your server. Everything runs entirely in your browser, so the token you paste is never uploaded. That makes the decoder safe for the everyday jobs it is built for: debugging an authentication flow, inspecting why a session was rejected, or checking exactly which claims your identity provider issues.

Frequently asked questions

Does this verify the signature?
No. It only decodes the header and payload so you can read them. Verifying a JWT requires the signing secret or public key, which this tool never asks for. Do not treat a decoded token as authenticated.
What are exp, iat, and nbf?
They are standard time claims in seconds since the Unix epoch: iat (issued at), nbf (not before), and exp (expires). This tool converts them to UTC dates for you.
Is my token sent anywhere?
No. Decoding runs entirely in your browser; the token is never uploaded. Still, avoid pasting production tokens into any online tool.
Why can I read the payload without a password?
Because a JWT is encoded, not encrypted. The header and payload are only base64url-encoded — a reversible format anyone can decode — so their contents are fully readable without any key. The signature is the security layer: it does not hide the data, it proves the data has not been altered. For that reason, never put secrets in a JWT payload; treat everything in it as public.