mytoolstash / developer tools / jwt-decoder

$ jwt decode

JWT Decoder

Paste a JSON Web Token to inspect its header and payload, with issued-at and expiry timestamps translated to readable dates.

What's inside a JWT

A JSON Web Token has three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (the claims — user ID, roles, expiry), and a signature. The header and payload are only encoded, not encrypted, which is why any JWT can be decoded without a key.

Decoding is not verifying

This tool decodes tokens; it does not verify signatures. A decoded token tells you what it claims, not whether it's authentic. Signature verification requires the signing secret or public key and should happen on your server.

Is it safe to paste tokens here?

Yes — decoding happens entirely in your browser and the token is never transmitted. Still, treat live production tokens as credentials: prefer inspecting expired or development tokens where possible.