2026topopentools

JWT Decoder

Paste a JSON Web Token to instantly read its header and payload claims, with expiry checks — decoded privately in your browser.

Understanding the JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token with three Base64Url-encoded parts separated by dots: header, payload, and signature. This tool splits a token and decodes the header and payload into readable JSON so you can inspect claims like issuer, subject, expiry, and scopes while debugging authentication. It is built for developers working with OAuth, OpenID Connect, and API auth. Decoding happens entirely in your browser, so the token you paste is never sent to a server.

How it works

The tool splits the token on its two dots into three segments. The first two segments are Base64Url-decoded (converting - and _ back to + and /, adding padding) and parsed as JSON to reveal the header, which names the algorithm, and the payload, which holds the claims. The third segment is the signature; this tool displays it but does not verify it, because verification requires the secret or public key. Timestamp claims like exp and iat are Unix seconds, which the tool can render as human-readable dates. Everything runs locally in JavaScript.

Worked example

Paste a token such as eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MTg4NjQwMDB9.signature. The header decodes to {"alg":"HS256"} and the payload to {"sub":"123","exp":1718864000}. The exp value 1718864000 converts to a readable expiry date, letting you see at a glance whether the token has lapsed. Because the signature segment is not validated here, a token can decode cleanly yet still be forged or expired; treat decoded contents as untrusted until verified server-side.

Tips & common mistakes

  • Decoding is not verification; never trust JWT claims until the signature is checked with the proper key.
  • JWTs are signed, not encrypted by default, so never put passwords or secrets in the payload.
  • Check the exp claim (Unix seconds) to confirm whether a token is still valid.
  • An 'alg' of 'none' is a known attack vector; reject such tokens on the server.
  • Use Base64Url, not standard Base64, when hand-building tokens; the - and _ characters differ.

Related tools

JSON Formatter & ValidatorFormat, beautify, minify, and validate JSON with clear error messages.Base64 Encode / DecodeEncode text to Base64 or decode Base64 back to text, with full Unicode support.URL Encode / DecodePercent-encode or decode text for safe use in URLs and query strings.Hash GeneratorGenerate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text.

Frequently Asked Questions

Does this verify the signature?

No. This tool decodes the token to show its contents. Verifying a JWT requires the secret or public key and should always be done on your server.

Is my token sent anywhere?

No. Decoding happens entirely in your browser. Your token is never transmitted, which matters because tokens often contain sensitive claims.

What do exp and iat mean?

They are standard claims: iat is "issued at" and exp is "expiration". The tool shows them as readable dates and flags whether the token has expired.