A JSON Web Token (JWT) carries signed claims as three Base64url segments separated by dots: header.payload.signature. The header and payload are only encoded, not encrypted — anyone with the token can read them. This tool splits a token and decodes the header and payload into readable, pretty-printed JSON, directly in your browser. It does not verify the signature.
Structure of a JWT
Every JWT has exactly three dot-separated segments:
eyJhbGciOiJIUzI1NiJ9 . eyJzdWIiOiIxMjMifQ . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
header payload signature
- Header — a JSON object naming the signing algorithm and token type, for example
{"alg":"HS256","typ":"JWT"}. - Payload — a JSON object containing claims: facts about the subject and instructions for the recipient.
- Signature — raw cryptographic bytes produced by signing
base64url(header) + "." + base64url(payload)with a secret or private key.
How decoding works
- The token is split on
.into three segments. - The header and payload are Base64url-decoded: the URL-safe characters
-and_are mapped back to+and/, any missing padding is restored, and the resulting bytes are UTF-8 decoded and parsed as JSON. - Standard time claims —
iat(issued-at),nbf(not-before), andexp(expiry) — are Unix timestamps in seconds and are converted to readable UTC dates. - If the current time is past
exp, the token is flagged as expired. - The signature is shown as its raw Base64url string — it contains binary data, not text, so it cannot be meaningfully decoded to JSON.
Reading the common claims
| Claim | Meaning |
|---|---|
alg | Signing algorithm — in the header (e.g. HS256, RS256) |
sub | Subject — the user or entity the token represents |
iss | Issuer — the service that created the token |
aud | Audience — which service(s) should accept this token |
iat | Issued at — when the token was created (Unix seconds) |
nbf | Not before — token is invalid before this time |
exp | Expiry — token must be rejected after this time |
Worked example
The token eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MDAwMDAwMDB9.sig
decodes to:
- Header:
{"alg":"HS256"} - Payload:
{"sub":"123","exp":1700000000}— expiry shown as 2023-11-14 22:13:20 UTC
If that expiry is in the past, the tool shows it as expired.
Security reminders
Because anyone can decode a JWT, never put secrets, passwords, or sensitive personal data in the payload — it is readable by any party that intercepts the token. The signature only proves the payload has not been tampered with; it does not hide the contents. Always verify the signature server-side using your signing key before trusting any claim for authentication or authorization. The algorithm in the header should be validated against an explicit allow-list — reject alg: none outright.