JWT decoder
Paste a JSON Web Token to inspect its header, payload, and expiry. Decoding happens entirely in your browser — nothing is sent to a server.
Token
This token has no signature segment — it is unsigned. Treat it as untrusted.
Expiry status
Header
| Claim | Value | Description |
|---|---|---|
Raw JSON
Payload
| Claim | Value | Description |
|---|---|---|
Raw JSON
Signature
Base64url-encoded signature segment:
Signature NOT verified — verification requires the secret or public key. This tool only decodes.
About JWTs
A JSON Web Token (JWT) is a compact, URL-safe string used to carry claims between parties. It has three dot-separated parts: a header (metadata like the signing algorithm), a payload (the claims — user ID, roles, expiry, custom data), and a signature (proof the token was not tampered with).
Registered claims include iss (issuer), sub (subject),aud (audience), exp (expiration), nbf (not before),iat (issued at), and jti (token ID). Any other key is a private or public custom claim.
Decoding a JWT shows you what is inside — it does not prove the token is genuine. Always verify the signature with the issuer's key before trusting claims for authentication or authorization. Tokens with alg: none or missing signatures must be rejected in production.
Read more
- JSON Web Token (JWT) explained — how JWTs work and when to use them
- Auth with GraphQL, Apollo, JWT and cookies
- Introduction to JSON — the format JWTs are built on