Promptyard
Encoding

JWT Decoder

Decode JWT header and payload, see expiration status. No signature verification.

Algorithm
HS256
Type
JWT
Status
OK
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "Jane Doe",
  "iat": 1516239022,
  "exp": 1935757800
}
Issued: 2018-01-18T01:30:22.000Z
Expires: 2031-05-05T14:30:00.000Z
Signature present (not verified)

This tool decodes only — it does NOT verify the signature. JWT contents are public; never put secrets in the payload. Verification requires the signing key and is the server\'s job.

JWT in one paragraph

A JWT is three base64-url-encoded segments joined by dots: header, payload, signature. Header declares the algorithm. Payload carries the claims (subject, expiration, custom data). Signature is the issuer\'s tamper-proof seal. The first two are public — base64 is encoding, not encryption. Treating JWT contents as secret is a recipe for sensitive-data leaks.

FAQ

Why no signature verification?
Verification needs the issuer's signing key (or JWKS endpoint). For decoding-only inspection — what 95% of debugging needs — a key isn't required. Verify on your server with jose or your framework's middleware.
Are JWT contents secret?
No. The payload is base64-encoded — anyone with the token can read it. Never put passwords, social-security numbers, or anything sensitive in the payload. Use opaque tokens or encrypted JWE for that.
My token doesn't decode — what's wrong?
Common causes: missing dot separators, copy-paste added whitespace, or it's a JWE (encrypted) — those need a key to even read. JWS tokens (the common case) decode without a key.
Does it support all algorithms?
Decoding is algorithm-agnostic — we just split on dots and base64-decode. Verification (which we don't do here) requires algo-specific keys.

Related tools