Pre-launch — your 10 free credits are reserved for launch day. Join the waitlist
encoders · free tool

JWT Decoder

Read a JWT's header and claims — it never leaves your browser, and we never verify the signature.

Runs in your browser — your data never leaves it

Paste, type, or drop a file. Runs as you type.

Output appears here as you type.

Worked example

Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output
{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022
  },
  "readable_dates": {
    "iat": "2018-01-18T01:30:22.000Z"
  },
  "signature_verified": false
}

This example is one of JWT Decoder's test cases — if the tool stopped producing this output, the build would fail.

Questions

Does it verify the signature?
No, deliberately — and it says so in the output. Verifying requires your signing secret, and a browser tool that asks you to paste a signing secret is a tool that shouldn't exist. This shows you what's inside; it never claims the token is authentic.
Is my token sent anywhere?
No. It's decoded in your browser. That's the entire reason to use this rather than a site that posts your token to a server.
Why are exp and iat shown as dates?
Because nobody reads Unix timestamps. The readable_dates block converts exp, iat, and nbf to ISO dates alongside the raw claims.

Related tools