JWT decoder
Decode a JSON Web Token's header and payload, in your browser.
This JWT decoder splits a JSON Web Token into its three parts and shows you the decoded header and payload in readable JSON. JWTs carry claims such as the issuer, subject, and expiry time, all Base64URL-encoded and separated by dots — this tool reverses that encoding so you can verify what a token actually contains. It is especially useful for debugging authentication flows, checking expiry timestamps, and confirming which claims a service issued. Decoding happens entirely in your browser, so tokens are never transmitted or logged.
Frequently asked questions
Does this verify the token's signature?
No. It decodes the readable header and payload but does not validate the signature, which requires the signing secret or key.
Is it safe to paste a real token here?
The decoding is fully client-side, so nothing leaves your device. Still, treat live tokens carefully and avoid sharing your screen.
Why can I read the payload without a password?
A JWT payload is only encoded, not encrypted. Anyone can read it, which is why sensitive data should never be stored in a token.
What does the exp claim mean?
exp is the expiry time as a Unix timestamp. If it is in the past, the token is expired and most services will reject it.
What's the difference between the alg and typ in the header?
typ is usually "JWT", identifying the token type, while alg names the signing algorithm such as HS256 or RS256. A token whose alg is "none" is unsigned and should be treated as untrusted.
What are the iss, sub, and aud claims?
iss is who issued the token, sub is the subject (often the user it identifies), and aud is the intended audience that should accept it. Services verify these to ensure a token is being used where it belongs.
More Developer utilities tools
Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.