Decoded locally. This tool does not verify the signature, so never treat decoded claims as trusted.

Questions

Frequently asked questions

Is my JWT sent to a server?

No. Base64URL decoding happens locally in your browser.

Does decoding verify the JWT signature?

No. Decoding only reveals the header and payload. Your application must verify the signature with the correct trusted key before accepting claims.

Can JWT payloads contain secrets?

They should not. JWT payloads are encoded, not encrypted, and anyone holding the token can usually read them.

What are exp and iat?

exp is the expiry time and iat is the issued-at time, represented as Unix timestamps in seconds.