JWT Decoder

A JWT (JSON Web Token) is a compact, URL-safe token format used to carry claims between two parties, defined in RFC 7519. It has three parts separated by dots: a header, a payload, and a signature. The header and payload are JSON objects that are base64url-encoded, and the signature is used to verify that the token was not altered.

Yes. The header and payload of a JWT are base64url-encoded, not encrypted, so anyone who has the token can decode and read its contents. Encoding only makes the data URL-safe; it does not hide or protect it. For that reason you should never put secrets in a standard JWT payload, because anyone holding the token can read every claim.

No. This is a decoder and inspector, not a verifier. Decoding reads the header and payload, while verifying requires the signing key and a cryptographic check to confirm the token is authentic and unmodified. We deliberately do not verify signatures, so treat the decoded contents as readable claims, not as proof the token is valid or trusted.

These are standard registered claims defined in RFC 7519 that carry time values, expressed as NumericDate (seconds since the Unix epoch in UTC). The exp (expiration time) claim is the time at or after which the token must not be accepted, iat (issued at) is the time the token was created, and nbf (not before) is the time before which the token must not be accepted. This tool converts those numeric timestamps into human-readable UTC dates and relative time so you can see at a glance whether a token is expired or not yet valid.

The decoding happens entirely in your browser and the token is never sent to any server, so it is not transmitted, stored, or logged by us. That said, a JWT is a credential: anyone who obtains it may be able to act as you until it expires, so you should not paste a live token into pages you do not trust, and you should not share or post your tokens publicly.