What a JWT contains
A JSON Web Token has three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON — readable by anyone. The signature is what proves the token wasn't tampered with, and verifying it requires the signing key. This tool shows you the first two parts and leaves the signature untouched.
Common payload claims
sub— subject (usually the user ID)iat— issued-at time (Unix seconds)exp— expiry time (Unix seconds)nbf— not-valid-before timeiss/aud— issuer and audience
FAQ
Is my token sent anywhere?
No. The token is decoded locally in your browser and never leaves the page.
Why isn't the signature verified?
Verification requires the secret or public key that signed the token, which only your backend should hold. This tool intentionally stays a decoder.
Can I read an encrypted JWT (JWE)?
No. Standard JWTs are signed, not encrypted, so their payload is readable. A JWE is encrypted and cannot be read without the key.