JWT decoder: header, payload and signature

Paste a JWT and instantly see the decoded header and payload, with exp/iat times in human-readable form. The token is parsed in your browser, nothing is sent to the server.

🔓 Paste a token

🧠 How a JWT is built

A JWT (JSON Web Token) is three parts separated by dots: header.payload.signature. The first two are ordinary JSON encoded in base64url (so anyone who has the token can read them). The third is the signature: it does not encrypt the data, it lets the server verify that the token was not tampered with.

eyJhbG… . eyJzdW… . SflKxw… Header alg, typ base64url JSON Payload sub, exp, iat… base64url JSON Signature HMAC / RSA tamper protection

Anyone can decode a JWT — it is not encryption. Never store passwords or secrets in the payload. Authenticity comes only from verifying the signature on the server with the secret key.