JWT Decoder
Decode a JSON Web Token: header, payload and signature. Inspect claims like exp, iat, sub, iss. 100% local — token never leaves your browser.
- 100% local · no upload
Frequently asked questions
Is my token sent to a server?
No. The decode happens fully in your browser. The token never touches the network. Safe even for production tokens.
Does this verify the signature?
No — decoding ≠ verifying. To verify, you need the secret (HS256) or public key (RS256). Use jwt.io or your backend for verification.
What is exp / iat / sub?
exp = expiration timestamp (Unix epoch). iat = issued-at timestamp. sub = subject (usually user ID). iss = issuer. aud = audience. nbf = not-before.
Why is the signature blob random?
It's the cryptographic signature (HMAC or RSA), encoded base64url. It looks random because it is — the whole point is that you can't derive it without the secret.
Can I edit the payload and re-sign?
Not from this tool — re-signing requires the secret/key. You'd need a backend or library like jsonwebtoken (Node) or PyJWT (Python).