utilduck
Home · Developer · JWT Decoder

JWT Decoder

Paste a JSON Web Token below to decode its header and payload.

This tool only decodes a JWT's header and payload — it does not verify the signature. A decoded token could still be invalid, expired, or tampered with; never trust a JWT's contents without verifying it server-side.

100% local processing — the token is decoded entirely in your browser and never sent anywhere.

-
-
Issued at (iat)-
Expires at (exp)-

About JWT (JSON Web Token)

A JWT is a compact, URL-safe token made of three base64url-encoded parts separated by dots: a header describing the signing algorithm, a payload holding claims (data), and a signature used to verify the token wasn't altered. This tool decodes the header and payload back into readable JSON.

Because the header and payload are only base64url-encoded, not encrypted, anyone can decode and read them without a secret key — that's expected and by design. What a JWT's signature protects against is tampering, not the JWT's contents being unreadable, which is why a decoder alone can never confirm a token is genuinely valid.

How do I decode a JWT and what does exp/iat mean?

A JWT (JSON Web Token) is three base64url-encoded parts joined by dots: header.payload.signature. To read it, split the string on the dots, base64url-decode the header and payload parts, and parse each as JSON — no secret key is needed to decode, only to verify the signature. The payload's iat (issued at) and exp (expiration) claims are Unix timestamps (seconds since 1970-01-01), which this tool converts to a human-readable date.

Steps to decode a JWT

  1. Paste the full JWT string (all three dot-separated parts) into the input box.
  2. The tool splits the token on its dots and base64url-decodes the first part (header) and second part (payload).
  3. Each decoded part is parsed as JSON and pretty-printed for readability.
  4. If the payload contains iat or exp claims, they are converted from Unix timestamps into a readable local date and time.
  5. The third part (signature) is left as-is and is never decoded or checked, since verifying it requires the issuer's secret or public key, which this tool does not have.

JWT structure and timestamp conversion

JWT = base64url(header) + "." + base64url(payload) + "." + signature · Human date = new Date(exp_or_iat_seconds x 1000)
  • iat (issued at) = the Unix timestamp, in seconds, when the token was created
  • exp (expiration) = the Unix timestamp, in seconds, after which the token should be considered expired
  • base64url = a URL-safe variant of base64 encoding that replaces + and / with - and _ and omits padding

Common JWT payload claims

ClaimMeaning
issIssuer — who created and signed the token
subSubject — the identity the token is about, such as a user ID
audAudience — the intended recipient of the token
iatIssued at — when the token was created (Unix timestamp)
expExpiration — when the token stops being valid (Unix timestamp)

Frequently asked questions

Does decoding a JWT prove it's valid or trustworthy?

No. Decoding only reveals what's inside the header and payload; it says nothing about whether the signature is genuine, whether the token was issued by a trusted source, or whether it has been tampered with. Only verifying the signature with the correct secret or public key can confirm a token is authentic.

Why can anyone read my JWT's payload without a password?

The header and payload are base64url-encoded, not encrypted, so decoding them is just a reversible text transformation, not a security barrier — this is by design, since JWTs are meant to be readable by any party that receives them. Sensitive data should never be placed in a JWT payload for this reason.

What happens if a token's exp timestamp is in the past?

A JWT with an exp value in the past is generally considered expired by systems that check it, and should be rejected, but this decoder only displays the date — it does not compare it to the current time or reject anything, since that check is the server's responsibility.

Why does my decoded token show an error?

An error usually means the pasted text isn't a complete, well-formed JWT — for example, it's missing a dot-separated segment, the header or payload isn't valid base64url, or the decoded text isn't valid JSON. Double-check you copied the entire token without extra spaces or line breaks.

This tool decodes and displays the header and payload only; it never verifies the signature, checks expiration against the current time, or validates any claim, so a successfully decoded token is not the same as a verified, trustworthy token.

Sources: RFC 7519 (JSON Web Token)