jwt.
paste any json web token to decode its header, payload, and signature. standard claims get surfaced at the top with an expiry countdown. nothing is sent anywhere — decoding runs entirely in your browser.
note: this only decodes, it doesn't verify the signature. anyone with the token can read everything shown below — treat the payload as public once it's in transit.
// token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikx1bmEgSGV5IiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDEwMjJ9.KHGJj2WzBZSJ2CR5wBbKRTqR5p7w3vglbxbpTjtybno
// claims● expired
- subsubject
- 1234567890
- iatissued at
- 2018-01-18 01:30:22z3020d ago
- expexpires
- 2018-01-18 02:03:42z3020d ago
header.json
{
"alg": "HS256",
"typ": "JWT"
}payload.json
{
"sub": "1234567890",
"name": "Luna Hey",
"iat": 1516239022,
"exp": 1516241022
}// signaturealg HS256 · 32 bytes
base64url
KHGJj2WzBZSJ2CR5wBbKRTqR5p7w3vglbxbpTjtybnohex
2871898f65b3059489d82479c016ca453a91e69ef0def8256f16e94e3b726e7asignature is not verified — that would require the issuer's public key or shared secret. use this for reading tokens, not trusting them.