Header & payload
Splits the token into its three parts and decodes the base64url JSON of the header and payload into readable form.
JWT Decoder
Decode a JSON Web Token’s header and payload — with algorithm, registered claims and readable dates (exp, iat, nbf). Everything runs in your browser; the signature is not verified.
Claims & dates
Surfaces registered claims and turns exp, iat and nbf into readable dates, with a clear valid / expired status.
Private
Decoding is fully in-browser — the token never leaves your device. The signature is intentionally not verified.
Frequently asked questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe format for carrying data (claims) between two parties. It has three dot-separated parts: header, payload and signature, each base64url-encoded. It is most commonly used for authentication and authorization.
Does this tool verify the signature?
No. The tool only decodes the header and payload so you can read their contents — it does NOT verify the cryptographic signature. Verification requires the secret key (HMAC) or public key (RSA/ECDSA), which we intentionally do not do here for security reasons.
Why is a JWT not "encrypted"?
A standard JWT (JWS) is only signed, not encrypted — the payload is base64url that anyone can decode. So never put sensitive data (passwords, private secrets) in the payload. For hidden content, JWE is used instead.
What do exp, iat and nbf mean?
These are registered claims with time values in seconds since 1970: exp (Expiration) — when the token expires; iat (Issued At) — when it was issued; nbf (Not Before) — from when it is valid. The tool shows them as readable dates and computes whether the token is valid, expired or not yet valid.
Does it support Cyrillic in claims?
Yes. Decoding is UTF-8 based, so Cyrillic values, emoji and any Unicode characters in claims are displayed correctly.
Is my token uploaded anywhere?
No. All decoding happens locally in your browser via JavaScript — the token is never sent to a server. This matters especially because a JWT often contains live session data.