How to decode a JWT token safely
To decode a JWT, open the ToolCrix JWT Decoder, paste your token, and the header and payload are decoded and displayed instantly — with human-readable timestamps and expiry status. Everything happens in your browser; your token is never transmitted anywhere.
Need to inspect a JWT token — to check claims, see when it expires, or debug an authentication issue — without pasting it into a random website? This guide shows you how to decode JWTs safely in your browser, entirely offline.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between parties. It's the backbone of most modern web authentication: OAuth 2.0, OpenID Connect, API authorisation, and single sign-on all use JWTs. A token has three Base64-encoded sections separated by dots: header (algorithm and type), payload (the claims), and signature (cryptographic verification).
How to decode a JWT (step by step)
- Open the JWT Decoder.
- Paste your JWT token into the input.
- The header and payload are decoded and displayed instantly.
- Issued-at (iat) and expiry (exp) timestamps are converted to human-readable dates.
- Check the expiry status — green if valid, red if expired.
Is it safe to decode tokens here?
Yes. The decoding happens entirely in your browser using JavaScript. The token is never sent over the network. However, only the header and payload are decoded — signature verification requires the secret or public key that only your server has. This tool is for inspection, not for trusting token content.
Common JWT claims
- iss (issuer) — who issued the token.
- sub (subject) — the user or entity the token is about.
- aud (audience) — who the token is intended for.
- exp (expiration) — when the token expires (Unix timestamp).
- iat (issued at) — when the token was created.
- nbf (not before) — the token is invalid before this time.
Frequently Asked Questions
Does this verify the signature?
No — it only decodes the readable parts. Signature verification needs the secret or public key that signed the token.
Can I decode tokens offline?
Yes — the decoder runs entirely in your browser with no server dependency.
Try it now: open the free JWT Decoder, or browse more developer guides.