Does this verify the JWT signature?

No. This is a decoder only. Signature verification requires the secret key or public key and should be done server-side.

Is my token sent to a server?

No. Decoding happens entirely in your browser. Your token never leaves your device.

Header (algorithm & type), Payload (claims/data), and Signature (verification hash). Each part is Base64URL-encoded and separated by dots.

The expiration time as a Unix timestamp (seconds since Jan 1, 1970). After this time, the token should be considered invalid.

Developer Tools

Decode JSON Web Tokens to inspect the header, payload, and claims. Quickly debug authentication tokens without any server calls.

JWT token

1 line • 155 chars

Paste a JWT token, keep line numbers visible, and inspect the decoded header, payload, and signature inside fullscreen mode.

Quick examples

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

iat: 2018-01-18T01:30:22.000Z

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This tool decodes but does not verify the signature. Never trust a JWT payload without verifying the signature server-side.
Common claims: 'exp' (expiration), 'iat' (issued at), 'sub' (subject), 'iss' (issuer).
Timestamps (exp, iat, nbf) are shown as ISO dates when detected.

Does this verify the JWT signature?: No. This is a decoder only. Signature verification requires the secret key or public key and should be done server-side.
Is my token sent to a server?: No. Decoding happens entirely in your browser. Your token never leaves your device.
What are the three parts of a JWT?: Header (algorithm & type), Payload (claims/data), and Signature (verification hash). Each part is Base64URL-encoded and separated by dots.
What is the 'exp' claim?: The expiration time as a Unix timestamp (seconds since Jan 1, 1970). After this time, the token should be considered invalid.