JWT Decoder
Read a JWT's header and claims — it never leaves your browser, and we never verify the signature.
Runs in your browser — your data never leaves it
Paste, type, or drop a file. Runs as you type.
Output appears here as you type.
Worked example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c{
"header": {
"alg": "HS256",
"typ": "JWT"
},
"payload": {
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
},
"readable_dates": {
"iat": "2018-01-18T01:30:22.000Z"
},
"signature_verified": false
}This example is one of JWT Decoder's test cases — if the tool stopped producing this output, the build would fail.
Questions
- Does it verify the signature?
- No, deliberately — and it says so in the output. Verifying requires your signing secret, and a browser tool that asks you to paste a signing secret is a tool that shouldn't exist. This shows you what's inside; it never claims the token is authentic.
- Is my token sent anywhere?
- No. It's decoded in your browser. That's the entire reason to use this rather than a site that posts your token to a server.
- Why are exp and iat shown as dates?
- Because nobody reads Unix timestamps. The readable_dates block converts exp, iat, and nbf to ISO dates alongside the raw claims.
Related tools
JSON Formattertakes json
Pretty-print and indent JSON — in your browser, nothing uploaded.
JSON Validatortakes json
Check whether JSON is valid and see the first error.
JSON to CSVtakes json
Turn a JSON array of records into CSV, with proper escaping.
JSON Minifiertakes json
Strip whitespace from JSON down to the smallest valid form.