JWT Decoder
Decode and validate JSON Web Tokens (JWT). View header, payload, and signature instantly. Everything runs in your browser — nothing is sent to any server.
What is a JWT?
Decoding a JWT Does Not Verify It
A JSON Web Token has three parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON, which means they are readable by anyone who has the token. Decoding a JWT helps you inspect claims such as sub, iss, aud, iat, and exp, but it does not prove that the token is trusted.
Verification requires the correct secret or public key and must be performed by the application or backend that owns the authentication system. This distinction matters: a token can look valid after decoding while still having a bad signature, the wrong audience, an expired timestamp, or claims that should not be accepted by your service.
Safe JWT Debugging Checklist
exp, nbf, and iat claims use Unix timestamps in seconds. A server clock that is several minutes off can make a good token appear invalid.iss or aud is wrong.