Decoding happens locally in your browser. Never paste production secrets. This tool does not verify the signature.
- Issued at (iat)
- 11/14/2023, 10:13:20 PM
- Expires (exp)
- 5/18/2033, 3:33:20 AM — valid
Header
{
"alg": "HS256",
"typ": "JWT"
}Payload
{
"sub": "1234567890",
"name": "MAKS Demo",
"iat": 1700000000,
"exp": 2000000000
}Decoding is local to your browser and does not verify signatures. Never paste production secrets or sensitive tokens into online tools.
About the JWT decoder
A JSON Web Token (JWT) has three Base64URL-encoded parts: a header, a payload, and a signature. This tool decodes the header and payload so you can inspect the claims, and converts timestamp claims like exp into readable dates.
It does not check the signature — verification requires the secret or public key and should be done server-side.
Frequently asked questions
- Does this verify the JWT signature?
- No. This tool only decodes the header and payload for inspection. It does not verify the signature, which requires the signing secret or public key.
- Is it safe to paste a token here?
- Decoding runs entirely in your browser and nothing is uploaded. Even so, never paste production tokens or secrets into any online tool you don't fully control.
- What do iat, exp, and nbf mean?
- They are standard JWT claims: iat (issued at), exp (expiry), and nbf (not valid before). This tool converts them to readable dates and flags expired tokens.