What is a JWT?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
How does it work?
A JWT is composed of three parts separated by dots (.): Header, Payload, and Signature. Each part is Base64Url encoded. Our tool reverses this encoding to show you the human-readable JSON data contained within the token.
Features & Capabilities
How to Use
- Copy your encoded JWT from your application or environment.
- Paste it into the input area above.
- The decoded Header and Payload will automatically appear in the sections below.
- Use the "Copy JSON" buttons to grab the data for debugging or documentation.
Reading the Decoded Claims
Once you paste a token, the payload pane reveals the claims — short keys with specific meanings defined by RFC 7519. iss (issuer) tells you who minted the token; sub (subject) is usually the user ID; aud (audience) is who the token is meant for; exp is a Unix timestamp marking expiry; iat is when it was issued; and nbf is the earliest time it's valid. Custom claims like roles, scope, or tenant_id sit alongside the standard ones. If exp reads 1730812800 and the current time is past that, the token is dead — even if the signature is valid — and your API will return 401.
A Real Debugging Scenario
You're calling a protected API and getting a 403 Forbidden response despite a freshly minted access token. Paste the JWT here. The header shows {"alg":"RS256","kid":"key-2024-01"} and the payload shows {"sub":"user-42","scope":"read:users","exp":1730900000}. The endpoint you're hitting requires write:users — the scope is wrong, not the token itself. You now know to widen the scope at login rather than rotate keys or chase clock skew.
Security: What This Tool Does Not Do
This is a decoder, not a verifier. JWT signatures prove the token was issued by someone holding the signing key; without that key, no client can verify authenticity. Decoding is purely Base64Url unwrapping — anyone with the raw token can read the payload. That's why JWT payloads should never contain passwords, full credit-card numbers, or any data you wouldn't want a user to see in their browser's local storage. Treat the payload as public-readable, even though it's signed.
Frequently Asked Questions
Can this tool verify a JWT signature?
No. Verification needs the issuer's public key (or shared secret), and pasting that into a third-party page would be a security mistake. Use your server-side library for verification.
Is it safe to paste a production token here?
Decoding happens in your browser; the token never reaches a server. Still, treat any token as a credential — close the tab when done and rotate the token if you suspect it leaked elsewhere.
Why do timestamps look like big numbers?
JWT uses Unix epoch seconds. Convert by pasting the value into new Date(1730900000 * 1000) in your console, or use a Unix-timestamp converter to get a human-readable date.
What does the "alg":"none" header mean?
It indicates an unsigned token. Many libraries reject these by default because accepting them is a known JWT vulnerability — never trust an alg:none token in production code.