Why don't you verify signatures here?

Verifying a signature requires the secret or public key. Pasting a signing secret into a website is exactly the wrong threat model - keep it on your server.

Are tokens stored anywhere?

No. Decoding runs in your browser; we never send the token over the network.

JWT Decoder

Decode and inspect JSON Web Tokens locally.

Runs in your browser

Paste a JWT to view its header and payload. We show the issued-at and expiry timestamps in human-readable form. We do not verify signatures here - bring your secret to your own server for that.

JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Arnaud",
  "iat": 1516239022
}

Standard claims

Subject: 1234567890
Issued at: 2018-01-18 01:30:22 UTC

How to use it

Paste the JWT
Drop the full three-part token (header.payload.signature) into the input. Sample tokens are pre-filled to help you explore the structure.
Read the header and payload
The decoded JSON for both parts is shown side by side. Standard claims (iss, sub, exp, iat) are formatted as readable dates and labels.
Verify expiry
Check whether the `exp` claim is in the past - that's by far the most common reason a JWT-protected request is rejected.

What is it?

A JSON Web Token (JWT) is three URL-safe Base64 strings joined by dots: a header (algorithm and token type), a payload (the claims - who the token is for, when it expires, what it allows), and a signature (proof the token wasn't tampered with). A JWT decoder splits and Base64-decodes the first two segments so a human can read the claims; it does NOT verify the signature, because that requires the secret.

When to use it

Inspect a JWT when debugging an authentication flow: which user is this token for, when does it expire, what scopes does it grant, which issuer signed it. Useful for support engineers, security reviewers, and developers wiring up OAuth or OpenID Connect. Always cross-check the `exp` claim against the current time when a request is unexpectedly rejected.

Common mistakes

Don't paste production tokens into untrusted sites - the payload may include user identifiers, email addresses or scopes. Don't confuse a JWT with encryption: the payload is just Base64, fully readable by anyone who has the token. And remember that signature verification needs the issuer's key - never trust a JWT's claims without verifying the signature on your server.

FAQ

Why don't you verify signatures here?: Verifying a signature requires the secret or public key. Pasting a signing secret into a website is exactly the wrong threat model - keep it on your server.
Are tokens stored anywhere?: No. Decoding runs in your browser; we never send the token over the network.

Base64 Encoder / Decoder

Encode and decode Base64 strings (text and files).

JSON Formatter & Validator

Format, minify and validate JSON instantly.

URL Encoder / Decoder

Percent-encode and decode URLs and query strings.