Paste a JSON Web Token to instantly decode header, payload, and claims — expiry countdown, no signup, nothing ever leaves your browser.
Copy a JWT token from your API response, localStorage, or Authorization header and paste it into the input box.
The decoder splits the token into its three parts (header, payload, signature) and decodes the base64url-encoded sections.
View all claims including sub, iss, aud, iat, exp — with a countdown showing whether the token is still valid or already expired.
Yes, completely safe. This tool decodes JWT tokens entirely in your browser using JavaScript. Your token is never sent to any server — it never leaves your device. This is the same approach used by jwt.io. We recommend against pasting production tokens with sensitive payloads into any online tool, but the decoding itself is purely local.
A JSON Web Token (JWT) has three base64url-encoded parts separated by dots: Header (algorithm and token type), Payload (claims like user ID, roles, expiry), and Signature (used to verify the token wasn't tampered with). Only the header and payload can be decoded without the secret key — the signature verification requires the server's secret.
Signature verification requires the secret key or public certificate used to sign the token — information that stays on your server. This tool decodes (not verifies) the header and payload, which is useful for debugging, inspecting claims, and checking expiry. For signature verification in production, use your backend's JWT library.
sub — Subject (user ID). iss — Issuer (who created the token). aud — Audience (intended recipient). exp — Expiry timestamp (Unix epoch). iat — Issued at timestamp. nbf — Not before (token not valid until this time). jti — JWT ID (unique token identifier).
