JWT Decoder

Decode a JSON Web Token's header and payload in your browser — see claims, expiry and issuer. No data sent anywhere.

Paste a JWT

Decoding only — this does not verify the signature. Everything runs in your browser; never paste production tokens you don't control.

How to use the JWT Decoder

Paste the token. Drop in the full header.payload.signature JWT.
Decode. View the header and payload as formatted JSON.
Read the claims. See expiry, issued-at, issuer and subject if present.

Free to use — premium coming soon

FREE

✓ Header & payload decode
✓ Expiry/claim summary
✓ 100% private

PREMIUM

★ Remove ads
★ Signature verification

About the JWT Decoder

A JWT Decoder splits a JSON Web Token into its three dot-separated parts and turns the first two back into readable JSON so you can inspect what a token actually carries. A JWT looks like xxxxx.yyyyy.zzzzz: the header, the payload, and the signature. The header and payload are Base64URL-encoded JSON, not encrypted, which means anyone holding the token can read them. This tool reverses that encoding and shows the header (the signing algorithm and token type) alongside the payload (the claims about the user or session), giving developers a fast way to see what is inside a token without writing throwaway code.

Reach for a decoder when you are debugging authentication: a login is rejected, an API returns 401, or a session expires sooner than expected. By decoding the token you can confirm which algorithm signed it (the alg field), check who issued it (iss), who it is about (sub), and exactly when it expires (exp). The exp and iat claims are Unix timestamps measured in seconds since 1970, not human-readable dates, so a good decoder converts them for you. Seeing those values side by side usually pinpoints the problem far faster than guessing at server logs.

Decoding works purely by reformatting, not by verifying. The tool takes each segment, replaces the URL-safe Base64 characters, decodes the bytes, and parses the resulting JSON. Crucially, it does not check the signature, because verifying authenticity requires the issuer's secret key (for HMAC algorithms like HS256) or public key (for RSA/ECDSA). That key should never be pasted into any web page. So a decoder tells you what a token claims, but never whether those claims are trustworthy or whether the token has been tampered with. Signature verification belongs on your server or in a local command-line tool.

Privacy note specific to this tool: a real token can contain user IDs, email addresses, organization identifiers, and permission scopes. Because the payload is only encoded, treat any token you decode as if its contents were written in plain text. Avoid pasting live production tokens into any online decoder you do not fully control, since third-party scripts, analytics, and browser extensions can read input fields on a page. For genuinely sensitive tokens, decode them locally or strip them to a non-production example first. Use this tool for development, debugging, and learning, not for handling credentials you cannot afford to leak.

Frequently asked questions

Does this tool verify the JWT signature?

No. It only decodes the header and payload so you can read the claims. Verifying the signature requires the issuer's secret or public key, which should never be entered into a web tool. Validate signatures on your server or with a local library instead.

Why can anyone read my token's contents?

The header and payload are Base64URL-encoded JSON, not encrypted. Encoding only makes the data compact and URL-safe; it does not hide it. Anyone with the token string can decode it, which is why you should never put passwords or secrets inside a JWT payload.

What do the exp and iat claims mean?

exp is the expiration time and iat is the issued-at time, both stored as Unix timestamps in seconds since January 1, 1970 (UTC). A token is no longer valid once the current time passes exp. The decoder converts these numbers into readable dates for you.

What are the most common standard claims I'll see?

The registered claims defined in RFC 7519 include iss (issuer), sub (subject, usually the user), aud (audience), exp (expiry), nbf (not valid before), iat (issued at), and jti (a unique token ID). They are kept to three letters to keep tokens small.

Is it safe to paste a production token here?

It is safer to avoid it. Live tokens often contain user IDs, emails, and permission scopes, and any page can be affected by third-party scripts or browser extensions reading the input. For sensitive tokens, decode them locally or use a sample token instead.

From our blog

UUID v4 in Practice: How Random IDs Work and When to Use Them

By the Super Simple Digital Tools Team · Updated June 2026

A UUID is a 128-bit number, but you almost always meet it as a 36-character text string split into the 8-4-4-4-12 groups. Of those 128 bits, version 4 reserves a handful to mark the version and variant and fills the other 122 with randomness. That single design choice is what makes v4 so easy to work with: there is no clock to read, no node identifier to configure, and no coordination between machines. Any client, anywhere, online or offline, can produce one and trust it will not clash with anyone else's.

The generation step is mechanical. The tool requests 16 random bytes from a cryptographically secure generator, then sets four bits of one byte to encode version 4 and two bits of another to encode the RFC variant. Everything else is left untouched. Decode any v4 value and you will see the fixed 4 in the version position and an 8, 9, a, or b in the variant position; the rest is noise. Because nothing about the host or the timestamp is encoded, a v4 UUID reveals nothing about who or what created it, which is a real privacy advantage over the older version 1 format.

It helps to put the collision math in perspective rather than just calling it impossible. The birthday-paradox calculation says you need around 2.71 x 10^18 generated UUIDs before the probability of any two matching reaches 50%. Generating a billion every second, that milestone is roughly 86 years away, and most applications never create more than a few billion identifiers across their entire lifetime. The one assumption baked into those numbers is good entropy: the guarantee depends on a strong random source, so a weak or low-entropy generator is the only realistic way to get into trouble.

Choosing v4 versus its siblings comes down to what you need from the ID. Version 1 stitches together a timestamp and the machine's MAC address; it is sortable but leaks hardware details and is largely avoided today. Version 7, standardized in RFC 9562 in 2024, leads with a 48-bit millisecond timestamp followed by random bits, so values sort by creation time and play nicely with database B-tree indexes. Version 4 trades that ordering for pure randomness, which is exactly what you want when you do not need sortability and would rather not embed a timestamp at all.

In real codebases, v4 UUIDs end up everywhere: primary keys when you want client-generated IDs, idempotency keys that let an API safely retry a request, correlation IDs that trace one call across many services, file and object names that will never collide, and stable handles for records that exist before they are saved. Bulk generation is the common workflow here: developers grab dozens or hundreds at once to seed test data, populate fixtures, or pre-allocate identifiers. Generate the batch, paste it where you need it, and move on.

Generating a batch for a test database or fixtures? Use the bulk option, then paste the whole block into your seed script instead of running the tool once per row.
Validate a UUID by eye: confirm 36 characters, four hyphens in the 8-4-4-4-12 pattern, a 4 in the 13th digit, and 8/9/a/b in the 17th digit for a true v4.
Storing many UUIDs in MySQL? Prefer BINARY(16) over CHAR(36); it is far more index- and space-efficient. PostgreSQL has a native 16-byte uuid type, so use that.
If you need IDs that sort by creation time for index performance, pick UUID v7 instead; reserve v4 for cases where unpredictability matters more than ordering.

Read the full guide →

Tool by the Super Simple Digital Tools Team. Reviewed by our editorial team. Free to use, no signup required.