What is the structure of a JWT?

A JWT has three dot-separated Base64url-encoded parts: header (algorithm and token type), payload (claims like user ID and expiry), and signature.

Is it safe to paste my JWT here?

The JWT is decoded entirely in your browser using JavaScript — nothing is sent to any server. However, treat JWTs containing sensitive claims with care in any context.

JWT Decoder — Inspect JSON Web Tokens

What is the JWT Decoder?

A JWT (JSON Web Token) is a compact, URL-safe token made of three Base64url-encoded parts separated by dots: header.payload.signature. The JWT Decoder reads the header and payload parts and displays them as readable JSON — without needing the secret key.

Note: decoding is not the same as verification. This tool reads the claims but does not check the signature. Signature verification must happen server-side using your application's secret key.

The Three Parts of a JWT

Header

Contains the token type ("typ": "JWT") and the signing algorithm ("alg": "HS256" or "RS256", etc.).

Payload

Contains the claims — statements about the user and additional metadata: sub (subject/user ID), exp (expiry timestamp), iat (issued at), aud (audience) and custom claims.

Signature

A cryptographic signature computed from the header + payload using the server's secret key. Cannot be forged without the key. The decoder displays it as-is without verification.

How to Use It

Copy your JWT

Find the JWT in your application — in a request's Authorization: Bearer ... header, a cookie, or browser DevTools Network tab.

Paste into the decoder

Open Encode / Decode and paste the JWT into the JWT Decoder field. It looks like eyJ...eyJ...xxx.

Inspect the parts

Read the decoded Header (algorithm) and Payload (claims) displayed as formatted JSON.

Check expiry

The exp claim is a Unix timestamp. Use the Unix Timestamp Converter to read it as a human-readable date.

Pro Tips

💡The exp claim is a Unix timestamp in seconds. Convert it with the Timestamp Converter to check if the token is expired.

💡A JWT starting with eyJ is a standard compact JWT — eyJ is the Base64url encoding of {" (the start of a JSON object).

💡Remember: anyone can decode the payload. Never put sensitive data (passwords, secrets) in JWT claims — they are only Base64-encoded, not encrypted.

💡The algorithm in the header (HS256, RS256) tells you how the signature was created. HS256 = HMAC-SHA256 (symmetric). RS256 = RSA-SHA256 (asymmetric).

Frequently Asked Questions

Does this tool verify the JWT signature?

No. It only decodes the Base64url-encoded parts to make them readable. Signature verification requires the secret key and must be done in your application.

What is the JWT structure?

Three dot-separated Base64url strings: header.payload.signature. Header contains algorithm info; payload contains claims; signature proves authenticity.

What claims should I look for?

Key claims: sub (subject/user ID), exp (expiry Unix timestamp), iat (issued at), aud (audience), iss (issuer), plus any custom application claims.

Is my JWT sent to a server?

No — decoding happens entirely in your browser using JavaScript. The JWT never leaves your machine.

Decode your JWT now

Open the JWT Decoder and inspect any token instantly — no login, no server, no secret key needed.

Open JWT Decoder →