Is it safe to paste my JWT here?

Yes. The JWT is decoded entirely in your browser. Nothing is sent to any server. However, be aware that JWT payloads are not encrypted — anyone with the token can read the claims.

Does this verify the JWT signature?

No. This tool only decodes the Base64-encoded header and payload. Signature verification requires the secret key or public key, which is a server-side operation.

What are common JWT claims?

iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). Custom claims can contain any application-specific data.

JWT Decoder

Decode and inspect JSON Web Token header and payload.

$jwt token

lines

0 chars1 lines

Invalid JWT: expected 3 parts separated by dots

Related Tools

B64Base64 Decode

Decode Base64-encoded strings back to readable text.

{}JSON Formatter

Pretty-print and format JSON with proper indentation.

FAQ

Is it safe to paste my JWT here?: Yes. The JWT is decoded entirely in your browser. Nothing is sent to any server. However, be aware that JWT payloads are not encrypted — anyone with the token can read the claims.
Does this verify the JWT signature?: No. This tool only decodes the Base64-encoded header and payload. Signature verification requires the secret key or public key, which is a server-side operation.
What are common JWT claims?: iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). Custom claims can contain any application-specific data.

The JWT Decoder parses a JSON Web Token and displays the header and payload as formatted JSON. It identifies common claims (iss, sub, exp, iat, aud) and shows token expiration status. No secret key is needed — this tool only decodes the Base64-encoded parts, it does not verify the signature.