Paste a JSON Web Token. See its header, payload, claims, and validity — all decoded entirely in your browser. Your token never touches our servers.
Decodes as you type. We don't verify the signature — that requires your secret key, which we never want to see.
Frequently asked questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It's three base64url-encoded segments separated by dots: header.payload.signature. JWTs are widely used for authentication and authorization — for example, an API can issue a JWT to a logged-in user, and the user sends it back on every request.
Is this JWT decoder safe to use? Does my token leave my browser?
No, your token never leaves your browser. The decoding is done entirely in JavaScript on your device. You can disconnect from the internet and the tool still works. We don't log, store, or transmit JWTs.
Why don't you verify the signature?
Verifying a JWT signature requires the secret key (HS256) or public key (RS256/ES256). We refuse to ask for that on purpose — secrets should never be pasted into a third-party website, even one that claims to be safe. For verification, use a JWT library in your own code (jsonwebtoken for Node, PyJWT for Python, etc.) or a CLI like jwt-cli.
What do the standard claims (iss, sub, exp, etc.) mean?
iss is the issuer (who created the token), sub is the subject (often a user ID), aud is the audience (intended recipient), exp is the expiration time in Unix seconds, nbf is 'not before' (token invalid until then), iat is 'issued at', and jti is a unique JWT ID. These are defined in RFC 7519. Custom claims can be anything the issuer adds.
How do I know if a JWT is expired?
Look at the `exp` claim — it's a Unix timestamp in seconds. If `exp` is less than the current time, the token is expired. This decoder shows expired tokens in red automatically, with the human-readable date next to the raw value.
Can I decode a JWT without knowing what algorithm signed it?
Yes — decoding only reads the header and payload, both of which are base64url-encoded JSON, not encrypted. The algorithm matters for verification, not decoding. The header's `alg` field tells you which algorithm signed it (commonly HS256, RS256, ES256).
What's the difference between a JWT and a session cookie?
Sessions are stored on the server and identified by a small cookie ID; the server looks up the user on each request. JWTs are stateless — all the user info is inside the token itself, signed so it can't be tampered with. JWTs scale better but are harder to revoke before they expire.
Is JWT encryption or just signing?
Standard JWTs (JWS) are signed but NOT encrypted — the contents are visible to anyone who has the token. If you need encryption, use JWE (JSON Web Encryption), a separate spec. As a rule: never put secrets like passwords inside a regular JWT payload.