BYTETOOLS

How to Decode a JWT and Inspect Its Claims Safely

To decode a JWT, paste the full token into a decoder and it splits the header, payload and signature, pretty-printing the first two as JSON. The ByteTools JWT Decoder also converts the iat, exp and nbf timestamps into readable dates and shows a badge telling you whether the token is still valid β€” all without leaving your browser.

A JSON Web Token looks like an impenetrable string of characters, but it is really just three Base64url segments joined by dots. Decoding it is the fastest way to debug an authentication problem.

What a JWT contains and who needs to read it

Every signed JWT has three parts: a header declaring the signing algorithm, a payload carrying claims like the subject, issuer, scopes and expiry, and a signature that protects integrity. The header and payload are only Base64url-encoded, not encrypted, so anyone can read them. That is exactly what makes a decoder useful β€” and also why you must never place secrets in a payload.

This tool is aimed at developers wiring up OAuth and OpenID Connect, API engineers debugging 401 responses, and security testers inspecting what a token actually asserts. Instead of writing a throwaway script, you paste and read.

How to decode a JWT in your browser

  1. Paste the full token β€” header.payload.signature β€” into the input box.
  2. Read the decoded header and payload as pretty-printed JSON.
  3. Check the expiry badge and the human-readable iat, exp and nbf dates.
  4. Use the copy buttons to grab the decoded JSON if you need it elsewhere.

Registered JWT claims worth knowing

The JWT spec defines a set of standard claims that appear in most tokens. Recognising them lets you diagnose expiry and validity issues at a glance.

ClaimMeaningWhy it matters
iatIssued atWhen the token was created
expExpiry timeAfter this, the token is rejected
nbfNot beforeToken is invalid until this moment
subSubjectWho or what the token is about
issIssuerWhich service minted the token

The three timestamp claims are Unix seconds, which is why a decoder that converts them to dates saves so much mental arithmetic.

Key features and benefits

  • Instant decode of header and payload to formatted JSON.
  • Readable timestamps for iat, exp and nbf.
  • Expiry badge based on the exp and nbf claims.
  • Signature shown as raw reference, since it cannot be verified without a key.
  • 100% client-side β€” safe even for production tokens, and works offline.
  • Clear errors for malformed or truncated tokens.

Try the JWT Decoder now β€” it's free and runs entirely in your browser.

Frequently asked questions

Does this tool verify the JWT signature?

No. It only Base64-decodes the header and payload, which needs no secret. Verifying the signature requires the signing key β€” an HMAC secret or the issuer's public key β€” and belongs on the server. Never trust a token's claims just because they decode cleanly.

Is it safe to paste a real JWT into an online decoder?

With this tool, yes β€” decoding runs entirely in your browser and the token is never transmitted or logged. Be wary of decoders that send tokens to a server, because a live token is a bearer credential that grants access to whoever holds it.

What do iat, exp and nbf mean?

They are Unix timestamps in seconds: iat is when the token was issued, exp is when it expires, and nbf is the earliest moment it may be used. This decoder converts all three to readable dates and compares exp against the current time.

Why does my JWT fail to decode?

A valid JWT has exactly three dot-separated base64url segments. Failures usually mean the token was truncated when copied, contains extra whitespace or quotes, or is actually an opaque session token. Check that it starts with something like eyJ.

Are JWTs encrypted?

Standard signed JWTs are not encrypted β€” anyone can read the payload, as this tool demonstrates. Only integrity is protected by the signature. If confidentiality is required, encrypted JWE tokens are used instead.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio that builds web apps, SaaS platforms and custom software for businesses. If you need help building secure authentication or a full product, explore ByteVancer's services and get in touch.