Does this tool verify the JWT signature?

No. This tool only decodes the Base64-encoded header and payload for inspection. Signature verification requires the secret key or public key and should always be done server-side.

Is it safe to paste my JWT here?

Yes. Everything runs 100% in your browser. The JWT is never sent to any server. You can verify this by checking the Network tab in your browser's developer tools.

ByteBox / Tools / JWT Decoder

JWT Decoder & Inspector

Paste a JSON Web Token to decode its header, payload, and check expiration — all locally.

Last updated: Mar 15, 2026

Paste JWT

This tool only decodes the JWT. It does not verify the signature — server-side validation is required for security.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs have three parts separated by dots: a Header (algorithm & type), a Payload (claims/data), and a Signature (integrity verification). They're widely used in OAuth 2.0 / OpenID Connect for authentication and API authorization.

Common Claims

sub (subject), iss (issuer), exp (expiration), iat (issued at), aud (audience), and nbf (not before). Custom claims can hold any application-specific data.

Was this useful?

Report / Suggest

JWT Decoder & Inspector

What is a JWT?

Common Claims

Related Tools