JWT Decoder

Paste a JSON Web Token to read its header and payload as formatted JSON, with the algorithm and any expiry shown in plain language. Decoding happens in your browser — the token is never uploaded.

Paste a JWT above and press Decode JWT.

What a JWT is

A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64url-encoded parts joined by dots: header.payload.signature. The header says how the token is signed, the payload carries the claims (data) and the signature lets a server verify the token wasn't tampered with.

header . payload . signature Base64url-decode header & payload

This decoder splits the token, Base64url-decodes the first two parts and pretty-prints them as JSON. It does not verify the signature, because that requires the secret or public key — which you should never paste into any website.

Worked example

For the sample token, the parts decode to:

Header: {"alg":"HS256","typ":"JWT"} — signed with HMAC-SHA256.
Payload: {"sub":"1234567890","name":"Calcool","iat":1700000000}.
iat (issued-at) 1700000000 is shown as a readable date.

Signature and security

Anyone can read a JWT's payload — it's only encoded, not encrypted — so never store secrets in it. The signature is what proves authenticity, and only the server with the key can validate it. Standard claims include exp (expiry), iat (issued at), sub (subject) and iss (issuer); this tool flags whether the token is expired based on exp.

Tip: need to decode plain Base64 instead? Use the Base64 encoder / decoder.

Frequently asked questions

Does this verify the JWT signature?

No. Verifying a signature needs the secret or public key, which you must never paste into a website. This tool only decodes the readable header and payload so you can inspect the claims.

Is a JWT encrypted?

No. The header and payload are Base64url-encoded, not encrypted, so anyone can read them. Never put passwords or secrets in a JWT payload.

What does 'exp' mean?

exp is the expiry time as a Unix timestamp. If the current time is past exp, the token is expired and a server should reject it. The decoder shows expiry in plain language.

Is my token sent to a server?

No. Splitting and Base64url-decoding happen entirely in your browser. The token is never uploaded, which matters because tokens can grant access to accounts.

MB
Mustafa Bilgic · Editor, Calcool
Follows the JWT structure defined in RFC 7519. Signature is not verified (never paste keys online). Everything runs in your browser — nothing you enter is uploaded, logged or stored.

Related calculators

🔐 Base64 Encoder / Decoder🧩 JSON Formatter🕒 Unix Timestamp Converter🔗 URL Encoder / Decoder