JWT decoder

What's in a JWT

A JSON Web Token is three base64url parts separated by dots: a header (the signing algorithm), a payload (the claims), and a signature. The first two are just encoded JSON — not encrypted — so anyone can read them. The signature is what proves the token wasn't tampered with.

The standard time claims

exp

Expiry — the token is invalid after this time.

iat

Issued-at — when the token was created.

nbf

Not-before — the token isn't valid until this time.

These are Unix timestamps (seconds since 1970); they're shown here as readable UTC dates.

Decode, not verify

This tool only reads the token — it does not check the signature, which would need the secret or public key. A decoded payload tells you what a token claims, not whether it's genuine. And because decoding is local, it's safe to paste a token here — but as a habit, don't paste production secrets into any web tool.