All tools · 🔐 Crypto / Hash

🔐 JWT Decoder

JSON Web Tokens (JWTs) consist of three base64url-encoded parts separated by dots: header.payload.signature. This decoder splits and decodes the first two parts so you can inspect claims like iss, sub, exp, iat. The signature is NOT verified — you would need the original secret key.

Loading tool…

Examples

Decode a standard JWT
InputeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
OutputHeader: { "alg": "HS256", "typ": "JWT" } Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }

iat is "issued at" — a Unix timestamp.

Frequently asked questions

Does this verify the JWT signature?

No. Signature verification requires the original secret (for HS256) or public key (for RS256), which we do not have. We only decode the header and payload.

Is it safe to paste my JWT here?

Decoding happens entirely in your browser — the token is never sent to our servers. That said, if your JWT is sensitive (production access token), inspect it offline or revoke it after.

What do the three dot-separated parts mean?

header.payload.signature. The header declares the algorithm. The payload holds claims. The signature is computed over the first two parts using the algorithm in the header.

What is "alg": "none" — is that valid?

It is technically a JWT algorithm meaning "no signature," but accepting it in production is a known security vulnerability. Most libraries reject it by default.

Why is my token rejected for being expired?

Check the exp claim (a Unix timestamp). If it is in the past, the server will reject it. You can usually re-authenticate to get a fresh token.

About this tool

JWT Decoder runs entirely in your browser using standard Web APIs. No data is sent to any server. The source for this tool is in our public GitHub repository.

Related tools

← All 96 tools

Why this tool

vs typical free web-tool sites

1vwTypical free site
PriceFreeFree
Signup requiredNoOften (for premium features)
Ads inside the toolNoYes (banner + video)
Data sent to serverNo (browser-only)Yes (inputs analyzed for ads)
Total tools96Often <20 or scattered across sites
Bookmarkable URL per toolYesMixed
Loads in under 1sYes (static)Often slow (ad tracking)
MultilingualEN / ES / PT / FR / DEUsually EN only
Open sourceYesNo