JWT Base64URL Decoder
Decode a JWT's Header and Payload from Base64URL format directly in your browser. Inspect the algorithm, expiry, issued-at time, and all claims — no server, no upload.
This tool only decodes the JWT Header and Payload — it does not verify the signature. Decoding is not the same as verification — anyone can read the contents of a JWT. The signature proves authenticity and must be verified on the server.
Paste a JWT token above to decode the Header and Payload.
How Each Part of a JWT Is Encoded
A JWT consists of three parts separated by dots. Each part is independently Base64URL-encoded:
A JSON object specifying the token type and signing algorithm. Always present.
{ "alg": "HS256", "typ": "JWT" }A JSON object containing claims — who the token represents, when it was issued, when it expires, and custom data.
{ "sub": "user_123", "exp": 1899110400 }A cryptographic hash of the Header and Payload. Verification requires a secret key (HMAC) or public key (RSA/EC).
SflKxwRJSMeKKF2QT4fw…Decoding a JWT in JavaScript
function decodeJwt(token) {
const [headerB64, payloadB64] = token.split('.')
function decode(b64url) {
// Convert Base64URL → standard Base64
const b64 = b64url
.replace(/-/g, '+')
.replace(/_/g, '/')
const pad = b64.length % 4
const padded = pad ? b64 + '='.repeat(4 - pad) : b64
// Decode to UTF-8 text
const binary = atob(padded)
const bytes = Uint8Array.from(binary, c => c.charCodeAt(0))
return JSON.parse(new TextDecoder().decode(bytes))
}
return {
header: decode(headerB64),
payload: decode(payloadB64),
// Signature verification requires a key
// — do that on the server, not here
}
}
const { header, payload } = decodeJwt(token)
console.log(header.alg) // "HS256"
console.log(payload.sub) // "user_123"
console.log(new Date(payload.exp * 1000))Standard JWT Claims
| Claim | Name | Type | Description |
|---|---|---|---|
| iss | Issuer | string | The entity that issued the token — typically the authentication server URL. |
| sub | Subject | string | The entity the token represents — typically a user ID. |
| aud | Audience | string | string[] | The intended recipients of the token — an API or service identifier. |
| exp | Expiration | number (Unix) | The time after which the token is invalid. Tokens with a past exp must be rejected. |
| nbf | Not Before | number (Unix) | The time before which the token is invalid. Rarely used. |
| iat | Issued At | number (Unix) | The time the token was issued. Can be used to detect stale tokens. |
| jti | JWT ID | string | A unique identifier for this token, used to prevent replay attacks. |
All seven claims are optional. Custom claims (such as name, email, and roles) can be freely added.
Does This Tool Verify the JWT Signature?
No. This tool only decodes and displays the Header and Payload — it does not verify the signature.
Verifying a JWT signature requires a secret key (for HMAC algorithms like HS256) or a public key (for RSA/EC algorithms like RS256, ES256). Verification must happen on the server — exposing a secret key in the browser defeats the purpose.
Anyone can decode a JWT — it is just Base64URL encoding, not encryption. The signature is what makes the claims trustworthy. An unverified JWT only tells you what someone claims is true, not that it is.
Verifying a JWT on the Server (Node.js)
import jwt from 'jsonwebtoken'
// HS256 — verify with shared secret
try {
const payload = jwt.verify(token, process.env.JWT_SECRET)
// payload is trusted only if verify() didn't throw
console.log(payload.sub)
} catch (err) {
// TokenExpiredError, JsonWebTokenError, etc.
console.error('Invalid token:', err.message)
}
// RS256 — verify with public key
const publicKey = fs.readFileSync('public.pem')
const payload = jwt.verify(token, publicKey, {
algorithms: ['RS256'],
})Frequently Asked Questions
Does this tool verify the JWT signature?
No. This tool only decodes and displays the Header and Payload. Verifying a JWT signature requires a secret key (HMAC) or public key (RSA/EC). Signature verification must happen on the server — it must never be done in the browser, as that would expose the key.
Is it safe to paste a JWT into this tool?
This tool runs entirely in the browser — your token is never sent to any server. Even so, treat JWTs like passwords: avoid pasting real production tokens from sensitive systems into any online tool, including this one. For sensitive tokens, use the official jwt.io library or your server-side runtime to decode locally.
Why do iat and exp in the JWT Payload show raw numbers?
The iat (issued at), exp (expiration), and nbf (not before) fields are Unix timestamps — the number of seconds elapsed since January 1, 1970 UTC. This tool automatically converts them to human-readable dates. The raw JSON preserves the original number format.
What does 'Expired' in the decoder mean?
The exp field is a Unix timestamp marking when the token expires. If exp is in the past, the token is no longer valid and a correctly implemented server will reject it. The expiry check is based on your local device time.
What are the standard JWT claims?
The JWT spec (RFC 7519) defines seven registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). All are optional. Applications often add custom claims such as name, email, roles, and scope.
What is the difference between a JWT and a Base64URL string?
A JWT is a structured format: three Base64URL-encoded segments joined by dots. The first is a JSON Header, the second is a JSON Payload, and the third is a cryptographic signature. A plain Base64URL string has no fixed structure — it is just arbitrary data encoded for URL safety.
Need to encode or decode a Base64URL string?
The Base64URL Encoder supports text → Base64URL, Base64URL → text, and standard Base64 ↔ Base64URL conversions — ideal for working with individual JWT segments.