Converters
JWT Decoder
Decode JWT headers, payloads, claims, exp, iat, nbf, issuer, subject, audience, scopes, and signature parts locally in your browser without verifying signatures.
Tool
Decode JWT headers, payloads, claims, exp, iat, nbf, issuer, subject, audience, scopes, and signature parts locally in your browser without verifying signatures.
This tool runs in your browser. Your input is processed locally and is not uploaded.
About this Tool
Use this free online JWT decoder to inspect JSON Web Tokens locally in your browser. Decode the header, payload, common claims, token dates, issuer, subject, audience, scopes, and the raw signature part without sending the token to a server. This tool is for decoding and debugging only. It does not verify the JWT signature, does not prove that claims are trustworthy, and does not create new tokens.
Examples
- Decode the JWT header to inspect alg and typ
- Decode the payload to inspect sub, iss and aud
- Convert exp into a readable expiration date
- Convert iat into the issued-at date
- Check nbf to see when a token becomes valid
- Inspect scopes or permissions in the payload
- View the signature part without verifying it
- Debug development tokens locally in the browser
Frequently Asked Questions
What is a JWT?
A JWT, or JSON Web Token, is a compact token format that usually contains a JSON header, a JSON payload, and a signature. It is often used for authentication, authorization, and passing claims between systems.
What are the three parts of a JWT?
A JWT normally has three dot-separated parts: the header, the payload, and the signature. The header and payload are Base64 URL-safe encoded JSON, while the signature is used by receiving systems for verification.
Does this tool verify the signature?
No. This tool decodes and parses the token locally. Decoding a JWT is not the same as verifying its signature or trusting its claims.
Why is decoding not the same as trusting a JWT?
The header and payload are only encoded, not encrypted by default. A token can be decoded by anyone, but its claims should only be trusted after the signature, issuer, audience, expiration, and other validation rules have been checked.
What does exp mean?
The exp claim is the expiration time of the token. It is usually stored as a Unix timestamp and can be converted into a readable date and time.
What does iat mean?
The iat claim means issued at. It records when the token was created, usually as a Unix timestamp.
What does nbf mean?
The nbf claim means not before. A receiving system should reject the token before that timestamp, even if the signature is otherwise valid.
What are iss, sub and aud?
iss identifies the issuer, sub identifies the subject, and aud identifies the intended audience. These claims help receiving systems decide whether the token was meant for them.
Is it safe to paste access tokens?
Be careful. JWTs can contain sensitive information or grant access to accounts. This tool is designed for local browser decoding, but production access tokens should still be handled according to your security policy.
Why is there no JWT encoder here?
Creating a useful JWT usually requires signing with a secret or private key. This tool focuses on safe local decoding and inspection instead of generating misleading unsigned tokens.