JSON Web Tokens (JWTs) are compact, URL-safe tokens used for authentication and information exchange between parties. A JWT consists of three parts: a header (algorithm and type), a payload (claims and data), and a signature. This tool decodes the header and payload so you can inspect the token's contents without needing a secret key.
This tool performs client-side Base64 decoding only. It does not verify the signature, which requires the secret key or public key. Never trust a JWT's payload without verifying its signature on your server. All decoding happens in your browser; your tokens are never sent to any server.
Frequently Asked Questions
Does this tool verify the JWT signature?
No. This tool only decodes the header and payload using Base64 decoding. Signature verification requires the secret key or public key and must be done on your server.
What are iat, exp, and nbf in the payload?
These are standard JWT claims: iat (issued at) is when the token was created, exp (expiration) is when it expires, and nbf (not before) is the earliest time the token is valid. They are Unix timestamps.
Is it safe to paste my JWT here?
All decoding happens in your browser using JavaScript. No data is sent to any server. However, JWTs may contain sensitive information, so always handle them carefully.
Why does my JWT show extra _iat_readable fields?
The decoder automatically adds human-readable date conversions for timestamp fields (iat, exp, nbf) to make them easier to understand. These are display helpers, not part of the original token.
Can I decode tokens from any provider?
Yes. The tool works with any standard JWT regardless of the issuer, whether it is from Auth0, Firebase, AWS Cognito, or any other identity provider.