What are the three parts of a JWT?

A JWT is three Base64url segments joined by dots: a header, a payload, and a signature. The header names the signing algorithm, the payload holds the claims (the data), and the signature lets the recipient verify the token was not altered.

Does this tool verify the signature?

No. Verifying a signature requires the secret or public key and is a security-sensitive operation that should happen server-side. This tool only decodes the header and payload so you can read what a token contains; never trust an unverified payload for authorization.

Why does the payload decode but show no readable signature?

The signature is raw bytes produced by an HMAC or asymmetric algorithm, not text, so Base64url-decoding it yields binary rather than JSON. The tool shows the signature only as its original Base64url string.

What do exp, iat, and nbf mean?

These are standard registered claims. iat is issued-at, nbf is not-before, and exp is expiry, each a Unix timestamp in seconds. The tool converts them to readable dates and warns when the current time is past exp.

Is it safe to paste a token here?

The decoding happens entirely in your browser with JavaScript, so the token is never sent anywhere. Still, treat real tokens as secrets and avoid pasting production credentials into any tool you do not control.

JWT Decoder (Header + Payload)

A JSON Web Token (JWT) carries signed claims as three Base64url segments separated by dots: header.payload.signature. This tool splits a token and decodes the header and payload into readable JSON, in your browser. It does not verify the signature.

How it works

The token is split on the dot . into up to three segments.
The header and payload are Base64url-decoded: url-safe - and _ are mapped back to + and /, padding is restored, and the bytes are UTF-8 decoded and parsed as JSON.
The result is pretty-printed. Standard time claims — iat (issued-at), nbf (not-before), and exp (expiry) — are Unix timestamps in seconds and are shown as readable dates.
If the current time is past exp, the token is flagged as expired.

The signature is raw cryptographic bytes, so it is shown only as its Base64url string, not decoded to JSON.

Tips and examples

A token like eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MDAwMDAwMDB9.sig decodes to a header {"alg":"HS256"} and a payload containing sub and an exp timestamp shown as a date. Because anyone can decode a JWT, never put secrets in the payload, and always verify the signature server-side before trusting any claim for authentication or authorization.