Frequently asked questions
Is my token sent to a server?
No. All decoding happens locally in your browser using JavaScript. Your JWT is never transmitted, logged or stored, so it's safe to paste real tokens.
Does this verify the signature?
No — and that's deliberate. Verifying a signature requires the secret or public key, which you should never paste into a website. This tool decodes and inspects the header and payload; use your backend to verify signatures.
Why can I read the payload without a key?
Because a JWT payload is only Base64URL-encoded, not encrypted. That's by design — never put secrets in a JWT payload, since anyone holding the token can read it.
What does 'expired' mean here?
If the payload has an exp claim, the tool compares it to the current time and flags whether the token is still valid or has expired. It also reads nbf (not-before) if present.
About JWT decoding
- A JWT has three Base64URL parts: a header (algorithm and type), a payload (the claims), and a signature. This tool decodes the first two and shows the third.
- Decoding is not verifying. Anyone can read a JWT's payload — it is only encoded, not encrypted. The signature is what proves the token wasn't tampered with, and verifying it requires the secret or public key, which should never be pasted into any website.
- Common claims:
sub(subject),iat(issued-at),exp(expiry),nbf(not-before),iss(issuer),aud(audience). Timestamps are shown in your local time. - Everything runs in your browser. Your token is never sent anywhere, so it's safe to inspect real tokens here.