Mar 14, 2026

Free JWT Decoder

Paste a JWT and instantly see its decoded header, payload, and whether it’s expired. Nothing sent to a server.

Try it

'<div class="jwt-section"><h3>Signature</h3><pre>' + parts[2] + '</pre></div>'; } catch (e) { output.innerHTML = '<pre style="color:red">❌ ' + e.message + '</pre>'; } };

How it works

A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature

const parts = token.split('.');
const header = JSON.parse(atob(parts[0]));
const payload = JSON.parse(atob(parts[1]));

The signature can’t be verified client-side without the secret key — but you can still inspect the header and payload, which is what you need 90% of the time when debugging.

Common JWT fields

Field	Meaning
`iss`	Issuer — who created the token
`sub`	Subject — who the token is about
`exp`	Expiration time (Unix timestamp)
`iat`	Issued at (Unix timestamp)
`aud`	Audience — who the token is for
`scope`	Permissions granted