JWT Decoder

A JSON Web Token is three base64url-encoded segments joined by dots: <header>.<payload>.<signature>. The header names the signing algorithm (e.g. HS256). The payload carries claims - structured facts about the subject, such as sub (user ID), exp (expiry timestamp), and any custom fields your application adds. The signature ties the two together: a server-side secret signs the header and payload so recipients can detect tampering.

This tool decodes the header and payload entirely in your browser. The raw bytes never leave your machine, which matters when pasting tokens from staging or production systems. The signature segment is displayed as-is; verifying it requires the secret or public key, which is deliberately out of scope for a client-side tool.

Watch the exp claim. It is a Unix timestamp (seconds since epoch). If the current time is past that value, the token is expired and any server checking it will reject the request. This decoder flags expiry automatically so you can diagnose 401 Unauthorized errors without reaching for a terminal or a separate time converter.