UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ToolsConfiguratorGet in Touch

JWT decoder

Decode a JSON Web Token to read its header and payload — with human-readable issued / expiry dates and an expiry check. Decode-only, entirely in your browser.

inoutJWTheaderpayloadsignature
JWT
🔒 Decoding only — the signature is not verified. Never paste production secrets; everything stays in your browser.
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1700000000,
  "exp": 1900000000
}
Standard time claims
Issued at (iat)Tue, 14 Nov 2023 22:13:20 UTC
Expires (exp)Sun, 17 Mar 2030 17:46:40 UTC
Decoded token — three Base64URL segmentsHEADER36 chars.PAYLOAD116 chars.SIGNATURE43 chars

A JWT is three Base64URL parts joined by dots: a header (algorithm), a payload (claims) and a signature. The first two are only encoded, not encrypted — anyone can read them, so never put secrets in a payload.

Base64Unix TimestampJSON FormatterPassword CheckerAll developer tools

How to decode a JWT

Paste a token into the box. The decoder splits it on the dots and shows the header and payload as pretty-printed JSON, converts the standard time claims (iat, exp, nbf) into readable UTC dates, and marks the token EXPIRED if its expiry has passed. The diagram shows how the three segments are sized.

A word on security

JWTs are signed, not encrypted, so the contents are readable by anyone who holds the token — never put secrets in a payload. This tool decodes only and never asks for your signing key; signature verification belongs in your backend, where the secret stays safe. Inspecting a token here is perfect for debugging auth flows and checking claim values and expiry.

🔐 Nothing uploaded: decoding is 100% in-browser. For identity, access management and security projects, Servnet’s security team can help — UK-based since 2001.

JWT — common questions

What is a JWT?

A JSON Web Token is a compact, URL-safe token with three Base64URL-encoded parts separated by dots: a header (the signing algorithm), a payload (claims such as user ID, roles and expiry) and a signature. It is widely used for stateless authentication and authorization.

Does this verify the signature?

No — this tool decodes only. Verifying a signature requires the secret or public key, which should never be pasted into a web page. Use it to inspect a token’s contents; verify the signature in your backend.

Is a JWT encrypted?

Standard JWTs are signed, not encrypted. The header and payload are merely Base64URL-encoded, so anyone holding the token can read them. Never store passwords or secrets in a payload; the signature only guarantees the token has not been tampered with.

What do iat, exp and nbf mean?

They are registered time claims in Unix seconds: iat = issued-at, exp = expiry, nbf = not-before. This decoder converts each to a readable UTC date and flags the token as EXPIRED if exp is in the past.

Why is my token showing as invalid?

A JWT must have at least a header and payload separated by dots, each a valid Base64URL-encoded JSON object. Truncated tokens, extra whitespace or a copied fragment will fail to decode.

Is it safe to paste a token here?

Decoding runs entirely in your browser and nothing is transmitted. Still, treat real session tokens with care — they grant access until they expire, so avoid sharing them and prefer expired or test tokens where possible.