JWT Decoder Guide
Reference for decoding JWT headers and payloads, reading claims, converting exp and iat values, and understanding decode versus verify.
Quick answer
Use the JWT Decoder to read the header and payload of a JSON Web Token. Decoding helps with debugging, but it does not verify the signature or prove that the token should be trusted.
What this tool shows
- Header JSON
- Payload JSON
- Common claims such as sub, iss, aud, iat, nbf, and exp
- Decoded text that can be copied into debugging notes
Example input and output
Input: a token with three dot-separated parts, such as header.payload.signature.
Output: readable JSON for the header and payload. For example, the payload may show claims like sub, iss, aud, iat, and exp, while the signature remains something the browser tool can display but not verify.
Use the decoded output to understand what the token says, then verify the signature, issuer, audience, and expiry in your backend or identity provider before trusting it.
Data handling and processing behavior
Processing is handled in the browser for this tool based on the current public implementation. Avoid entering sensitive production tokens unless you have reviewed the implementation and your security requirements.
Step-by-step use
- Paste a JWT string
- Review the decoded header
- Review the decoded payload
- Convert time claims with Timestamp Converter
- Verify the token server-side before trusting any claim
Practical workflow
Use JWT Decoder as a debugging reader, not a trust decision. Decode the token to inspect header and payload shape, convert time claims, then move the finding into backend verification, identity-provider logs, or a ticket. If the decoded payload needs to be shared as a safe example, use the Developer Data Cleanup Workflow to replace sensitive values and format the JSON.
Practical handoff note
For JWT handoff, never paste live tokens into tickets, docs, or chat transcripts. Decoding shows claims, headers, and timestamps, but it does not verify signatures or permissions. If you need to share a JWT example, replace identifiers, emails, scopes, and secrets with synthetic values before review.
Common errors
Confusing decode with verify. Decoding makes content readable. Verification checks trust.
Ignoring exp and nbf. Many auth bugs are time-window issues.
Pasting real user tokens casually. Tokens can grant access and should be treated as sensitive.
Limits
This tool does not verify signatures, validate algorithms, check keys, or enforce issuer and audience rules. Use backend verification for any security decision.
Next steps
- Developer Data Cleanup Workflow — turn decoded claims into safe debugging notes or fixtures
- Base64 Encoder/Decoder — inspect encoded text
- Timestamp Converter — convert JWT time claims
- JSON Formatter — format decoded JSON
- HTTP Header Parser — inspect auth-related response headers