JWT Decoder
Paste a JSON Web Token to read its header and payload, with expiry shown as a date. Decodes in your browser — nothing is sent anywhere.
Try an example
The classic sample token — load it to see the header and payload decoded.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cReading a JWT
A JWT has three dot-separated parts: the header (the signing algorithm), the payload (the claims — who the user is, when the token expires), and the signature (which a server checks to confirm the token wasn't tampered with). This tool decodes the first two so you can debug what a token actually contains.
Frequently asked questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token with three parts — header, payload and signature — separated by dots. It is widely used to carry authentication and session information between a client and server.
Does this tool verify the JWT signature?
No. This tool only decodes the header and payload so you can read them. It does not verify the signature — verification requires the secret or public key on your server.
Is it safe to paste my token here?
Decoding happens entirely in your browser — the token is never sent anywhere. That said, avoid pasting production tokens into any online tool as a general security habit.
What do exp and iat mean?
iat is "issued at" and exp is "expires at", both Unix timestamps. This decoder shows them as readable dates and flags whether the token is expired.