Question 1

Does this verify the JWT signature?

Accepted Answer

No. Signature verification requires the secret key or the RSA/ECDSA public key, which the tool never has. The decoder only base64url-decodes the header and payload, which is safe and useful for inspecting contents without needing the key.

Question 2

Is it safe to paste a real JWT here?

Accepted Answer

The decoding happens entirely in your browser — nothing is sent to a server. That said, JWTs can carry access tokens. Treat them like passwords: paste production tokens only in a trusted environment, and rotate any you paste into a public or shared machine.

Question 3

What do the colour-coded token segments mean?

Accepted Answer

Red is the header (algorithm and type), purple is the payload (claims), and blue is the signature — the same colour convention used by jwt.io.

Question 4

What is exp / nbf / iat?

Accepted Answer

exp (expiration) is the Unix timestamp after which the token is no longer valid. nbf (not before) is the earliest it should be accepted. iat (issued at) is when it was created. All three are rendered as human-readable UTC dates alongside the raw epoch value.

Question 5

Does the tool support JWE or nested JWTs?

Accepted Answer

JWS compact serialisation (the common 3-part JWT) is supported. JWE (encrypted tokens, 5 parts) and nested JWTs are not decoded automatically — paste the inner token separately if needed.

Claim	Full name	Description
iss	Issuer	Who issued the token
sub	Subject	The entity the token is about
aud	Audience	Intended recipients
exp	Expiration Time	Token must not be accepted after this Unix timestamp
nbf	Not Before	Token must not be accepted before this Unix timestamp
iat	Issued At	When the token was issued (Unix timestamp)
jti	JWT ID	Unique identifier — used for replay prevention

🔑 JWT Decoder

Header — JOSE header

Payload — claims

Signature

FAQ

More tools

JSON

Code

Ornaments

Image

Web / SEO

Generators

PDF