What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe credential format defined in RFC 7519. It packs three Base64URL-encoded segments — header,
payload, and signature — joined by
dots: xxxxx.yyyyy.zzzzz. The header
describes the signing algorithm; the payload contains claims; the
signature lets the receiver verify the token wasn't tampered with.
What does this decoder show?
- The header JSON, formatted with 2-space indent.
- The payload JSON, with standard timestamp claims (
iat,nbf,exp) annotated in ISO 8601. - The raw Base64URL signature.
Common payload claims
iss— issuer (who created the token).sub— subject (typically the user id).aud— audience (intended recipient).exp— expiration time (Unix seconds).iat— issued at (Unix seconds).nbf— not valid before (Unix seconds).jti— JWT ID, for revocation lookups.
Is this safe to use with production tokens?
Yes. The token never leaves your browser — there is no backend. Decoding only reads the public Base64 segments; nothing about the signature is sent anywhere. Still, treat the decoded payload like you would any other secret on your screen.
This tool does not verify signatures
Verifying a JWT requires the issuer's public key (RS256/ES256) or shared secret (HS256). That step happens server-side. This decoder only displays what's inside the token; it does not prove the token is authentic or unexpired. Never trust an unverified JWT for authorization decisions.