Free · No signup

JWT Decoder

Paste a JSON Web Token and instantly inspect its header, payload and claims — with expiry timestamps translated to human-readable dates.

Processed in memory — never stored, never logged, no account needed.

How JWTs are structured

A JSON Web Token is three base64url-encoded segments separated by dots: header.payload.signature. The header declares the signing algorithm (alg) and token type; the payload carries the claims — who the token is about (sub), who issued it (iss), and when it expires (exp).

Base64url is an encoding, not encryption: anyone holding a JWT can read its contents, which is exactly what this tool does. Never put secrets in a JWT payload. What makes a JWT trustworthy is the signature, which only the holder of the signing key can produce.

This decoder deliberately does not verify signatures — that requires the secret or public key and belongs in your backend. Use it to debug why a token is rejected: wrong audience, expired exp, clock skew on nbf, or an unexpected algorithm.

Your API rejects tokens at 3 a.m.? Know it first

ContinuumNexus monitors your authenticated endpoints around the clock and alerts you when they start failing.

Frequently asked questions

Is it safe to paste a JWT here?
Your token is decoded in memory and is never stored, logged or shared. That said, treat production tokens like passwords: prefer expired or test tokens when debugging, and rotate any secret you suspect was exposed.
Does this tool verify the JWT signature?
No — verification requires the signing secret (HS256) or the issuer's public key (RS256/ES256) and should happen server-side. This tool decodes the header and payload so you can inspect claims and expiry.
Why does my valid-looking token get rejected by the API?
The usual suspects: the exp claim is in the past, the nbf claim is in the future (clock skew), the aud or iss claims don't match what the API expects, or the API expects a different signing algorithm than the one in the header.
Are JWTs encrypted?
Standard signed JWTs (JWS) are not encrypted — the payload is readable by anyone. Encrypted JWTs (JWE) exist but are rarer; they have five segments instead of three. This tool handles the common signed format.
What are the standard JWT claims?
The registered claims are iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at) and jti (unique ID). Everything else is a custom claim defined by your identity provider or application.