JWT Decoder
Paste a JSON Web Token to instantly decode its header and payload into readable JSON. Timestamp claims like exp and iat are translated to human-readable dates, and you can verify HS256 signatures with your secret.
About the JWT Decoder
A JSON Web Token (JWT) is a compact, URL-safe credential made of three base64url parts — header, payload, and signature — separated by dots. It carries claims about a user or session and is widely used for authentication and authorization in APIs.
Decoding a JWT does not require the secret: the header and payload are only encoded, not encrypted, so anyone can read them. That is exactly why this tool runs entirely client-side — a token is sensitive, and pasting one into a server-side debugger could leak an active session. Here, nothing leaves your browser.
How to use it
- 1Paste your JWT into the token field.
- 2Read the decoded header and payload, with expiry shown in plain language.
- 3To verify, enter the shared secret and check the HS256 signature result.
Features
- Decodes header and payload to formatted JSON
- Translates exp, iat and nbf claims into human-readable dates
- Flags expired tokens at a glance
- Optional HMAC (HS256) signature verification with your secret
Frequently asked questions
Is it safe to paste a JWT here?
Yes. Decoding and verification happen entirely in your browser — the token and any secret you enter are never sent to a server. Still, avoid sharing production tokens unnecessarily.
Can I read a JWT without the secret?
Yes. A JWT payload is base64url-encoded, not encrypted, so the header and claims are always readable. The secret is only needed to verify the signature.
Which algorithms can it verify?
It verifies HMAC signatures (HS256) using your shared secret via the Web Crypto API. Any token can be decoded regardless of algorithm.
What do exp and iat mean?
iat is "issued at" and exp is "expiration" — both are Unix timestamps. The decoder converts them to readable dates and flags tokens that have expired.