JWT Decoder Guide
Reference for decoding JWT headers and payloads, reading claims, converting exp and iat values, and understanding decode versus verify.
Quick answer
Use the JWT Decoder to read the header and payload of a JSON Web Token. Decoding helps with debugging, but it does not verify the signature or prove that the token should be trusted.
What this tool shows
- Header JSON
- Payload JSON
- Common claims such as sub, iss, aud, iat, nbf, and exp
- Decoded text that can be copied into debugging notes
Data handling and processing behavior
Processing is handled in the browser for this tool based on the current public implementation. Avoid entering sensitive production tokens unless you have reviewed the implementation and your security requirements.
Step-by-step use
- Paste a JWT string
- Review the decoded header
- Review the decoded payload
- Convert time claims with Timestamp Converter
- Verify the token server-side before trusting any claim
Common errors
Confusing decode with verify. Decoding makes content readable. Verification checks trust.
Ignoring exp and nbf. Many auth bugs are time-window issues.
Pasting real user tokens casually. Tokens can grant access and should be treated as sensitive.
Limits
This tool does not verify signatures, validate algorithms, check keys, or enforce issuer and audience rules. Use backend verification for any security decision.
Next steps
- Base64 Encoder/Decoder — inspect encoded text
- Timestamp Converter — convert JWT time claims
- JSON Formatter — format decoded JSON
- HTTP Header Parser — inspect auth-related response headers