Is my token sent to a server?

No. The token is split and Base64URL-decoded locally with the browser's built-in atob() and JSON.parse(). It never leaves your device, so it is safe to use with real tokens.

Does this verify the signature?

No. Verifying a JWT signature requires the secret or public key, which is server-side information. This tool decodes and explains only the readable header and payload — exactly what any recipient sees before verifying.

How accurate are the claim descriptions?

The standard registered claims (iss, sub, aud, exp, nbf, iat, jti) follow their RFC 7519 definitions. Any non-standard key is labelled as a custom application claim rather than guessed.

JWT Claims Explainer

JWT claims explainer

A JSON Web Token is readable but cryptic — exp, nbf and iat are Unix timestamps and iss, sub, aud are three-letter abbreviations. Paste a token here and it decodes the header and payload and adds a plain-English explanation of every standard registered claim, following the RFC 7519 definitions.

How it works

A JWT has three Base64URL-encoded parts joined by dots: header.payload.signature. The tool splits on the dots, decodes the first two parts with the browser’s atob() and JSON.parse(), and annotates each claim:

Claim	Meaning (RFC 7519)
`iss`	Issuer — who created the token
`sub`	Subject — who the token is about
`aud`	Audience — who it is intended for
`exp`	Expiration time (must be after now)
`nbf`	Not-before time (valid from)
`iat`	Issued-at time
`jti`	Unique token ID

The time claims (exp, nbf, iat) are converted to readable UTC dates, and the token is flagged EXPIRED or NOT YET VALID when the current time falls outside its exp/nbf window. Any key that is not a registered claim is labelled a custom application claim rather than guessed.

Example

A payload of { "sub": "1234", "iat": 1700000000, "exp": 1700003600 } is explained as: subject 1234, issued at 2023-11-14 22:13:20 UTC, expiring one hour later. If that expiry is in the past, the token is marked EXPIRED.

Everything runs in your browser — the token is never transmitted, so it is safe to paste real credentials. The signature is shown but never verified, since that needs a key you should never paste into a web page.