Decoding never validates the signature. Provide a secret (HS*) or PEM public key (RS*) below to verify.
Enter a secret to verify the signature locally.
About JWT Decoder
JWT Decoder parses a JSON Web Token and renders the three Base64URL-encoded segments as readable JSON: the header (which algorithm signed the token, plus optional `kid` and `typ`), the payload (the claims — `sub`, `iss`, `aud`, `exp`, custom fields), and the signature (raw bytes, untouched). Expiration claims (`exp`, `nbf`, `iat`) are surfaced as human-readable timestamps next to the raw epoch numbers.
This is a read-only inspection tool: it does not verify the signature, since verification requires the secret or public key the issuer used. Reach for it when debugging an auth flow — your client got a 401 and you want to see what claims the server actually issued, you need to confirm an `exp` is in the future, or you are comparing two tokens to find the differing claim. To build a new JWT (signing required), use JWT Encoder. Everything runs in your browser, so the token's contents never leave your device — important since JWTs typically carry session identifiers and user data.
Examples
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFkYSIsImV4cCI6MTcxNTAwMDAwMH0.QWJjZGVmZ2hpamsheader: { "alg": "HS256", "typ": "JWT" }
payload: { "sub": "1234", "name": "Ada", "exp": 1715000000 (May 6 2024 UTC) }
signature: <opaque bytes>Three dot-separated segments are Base64URL-decoded. Expiration shown both as epoch and human-readable UTC.
Frequently asked questions
Does it verify the signature?
No. Verifying a JWT requires the secret (HMAC) or the issuer's public key (RSA, ECDSA), which the tool does not have and should not request. For verification, use JWT Encoder in verify mode or your library's built-in verifier — never accept claims without checking the signature server-side.
Is the token sent to a server?
No. Decoding is just Base64URL-decode and JSON.parse, both of which run locally in your browser. Inspect your network tab while pasting a token if you want to confirm. This matters because tokens often carry session identifiers.
How is this different from JWT Encoder?
Decoder reads existing tokens; Encoder builds new ones. Different sides of the same protocol — encode, sign, transmit, then decode and verify on the other end. Use the Decoder for debugging; the Encoder for building test fixtures or local-development tokens.
Why is the signature shown but not validated?
Because the signature is opaque without the key — there is nothing meaningful to render except the raw bytes. The Decoder shows it for completeness so you can confirm the token has the expected three segments and the third segment is non-empty.