JWT Decoder Online
Decode and inspect JWT tokens instantly in your browser. View header, payload, and signature with automatic timestamp conversion and expiry status — no server, no data sent.
Frequently Asked Questions about JWT Decoder
How do I decode a JWT token online?
Paste your JWT token into the input field and the decoder will instantly split and display the header and payload as formatted JSON. No button click required — decoding happens in real-time as you type.
Is it safe to paste my JWT token here?
Yes. This tool runs 100% in your browser. Your token is never sent to any server. All decoding is done locally using JavaScript's built-in atob() function and JSON parsing.
What does a JWT token consist of?
A JWT (JSON Web Token) has three parts separated by dots: the Header (algorithm and token type), the Payload (claims such as user ID, roles, expiry), and the Signature (used to verify authenticity). This tool decodes the header and payload.
Can I verify the JWT signature here?
No. Signature verification requires the secret key or public key used to sign the token, which should never be shared with a browser tool. This tool only decodes the header and payload — it does not verify the signature.
How does the expiry check work?
If the payload contains an 'exp' (expiration) claim, the tool compares it against the current time and displays whether the token is valid or expired. The 'iat' (issued at) and 'nbf' (not before) fields are also converted to human-readable dates.
What does 'Invalid JWT format' mean?
A valid JWT must have exactly three parts separated by dots, and the header and payload must be valid base64url-encoded JSON. If your token is missing parts or contains invalid characters, this error will be shown.
What is the difference between JWT and JWS?
JWS (JSON Web Signature) is the signed form of a JWT — the most common type you'll encounter. A JWT is a general container format. In practice, when people say JWT they almost always mean a signed JWS token with three dot-separated parts.