A JWT (JSON Web Token) is a compact, URL-safe token made of three Base64URL parts separated by dots: header, payload and signature. To decode a JWT, paste it into a JWT decoder and read the header and payload as JSON. This guide explains what each part means, how to read claims like exp and iat, and why decoding is not the same as verifying.
Grab the JWT (the long eyJ… string) from your request headers, cookies or auth response.
The decoder splits it on the dots and Base64URL-decodes the header and payload.
See the algorithm in the header and the payload claims, with exp/iat shown in readable local time.
An expiry badge tells you at a glance whether the token is still valid or has expired.
What are the three parts of a JWT?
A JWT is header.payload.signature. The header says which algorithm signed it (e.g. HS256, RS256). The payload holds the claims (the data). The signature proves the token was issued by someone holding the secret or private key. The first two parts are just Base64URL — anyone can read them.
What do exp, iat and sub mean?
These are standard (registered) claims: sub is the subject (user id), iat is issued-at, exp is the expiry time, nbf is not-before, and iss/aud are the issuer and audience. Times are Unix timestamps — our JWT decoder converts them to readable dates, and you can convert any epoch with the timestamp converter.
Does decoding verify the token?
No. Decoding only reveals what is inside; it does not check the signature, so a decoded payload is not proof the token is authentic. Verification requires the secret (HMAC) or public key (RSA/EC) and must happen on a trusted server. Never trust an unverified token for authorization.
Tip: A JWT payload is readable by anyone — never put passwords or secrets in it. Store only non-sensitive identifiers and claims.
Decode your JWT now
Paste a token to read its header, claims and expiry — decoded in your browser, never uploaded.
Open the JWT Decoder →Frequently Asked Questions
How do I decode a JWT?
Paste the token into a JWT decoder. It Base64URL-decodes the header and payload and shows them as JSON.
Is decoding a JWT safe?
Reading it is safe, but use a tool that decodes in your browser so the token is never sent to a server. This decoder does exactly that.
Does the decoder verify the signature?
No. Decoding shows the contents only. Signature verification needs the secret or public key and must be done server-side.
Can I tell if a JWT is expired?
Yes — check the exp claim. The decoder humanizes it and shows an expiry badge.