Paste a JWT token below to decode and inspect its header, payload and claims instantly. Your token never leaves your browser.
JWT stands for JSON Web Token. It is a compact, URL-safe way of representing claims between two parties. A JWT is commonly used in authentication systems - when you log in to a web application the server gives you a JWT and your browser sends it back with every request to prove who you are.
A JWT has three parts separated by dots. The header, the payload, and the signature. Each part is Base64 encoded separately. The header says what algorithm was used to sign the token. The payload contains the actual claims - data like your user ID, email, and when the token expires. The signature is used to verify the token was not tampered with.
This tool runs entirely in your browser. Your token is never sent to any server. That said, you should still be careful with tokens that are currently active in production. A JWT can be used to authenticate as you until it expires. If you are debugging in a safe environment there is no risk, but avoid pasting live production tokens into any online tool if you can help it.
The red part is the header. The blue part is the payload. The green part is the signature. This colour coding matches the standard used on jwt.io and most JWT documentation so it is easy to recognise which part is which.
No. Verifying a JWT signature requires the secret key or public key that was used to sign it. This tool only decodes the header and payload which are Base64 encoded and readable by anyone. Signature verification must be done server-side with the correct key.
The exp claim is the expiry time of the token expressed as a Unix timestamp. This tool converts it to a human readable date and shows whether the token is currently expired or still valid.
The iat claim stands for issued at. It is the Unix timestamp of when the token was created. Together with exp it tells you the full lifetime of the token.
Because the header and payload are only Base64 encoded, not encrypted. JWTs are designed to be readable - the security comes from the signature which proves the token was issued by a trusted server and has not been modified. Never put sensitive data in a JWT payload that you do not want visible.