JWT Decoder
Paste a JSON Web Token (JWT). Get decoded header, payload, and signature parts instantly. Token is decoded client-side — never sent anywhere.
Header
Payload
Signature (base64url)
Invalid JWT
Privacy: Your token never leaves your browser. JustKit doesn't have a server side. Verify in your browser's network tab.
What this does
JWTs have three parts separated by dots: header.payload.signature. Each part is base64url-encoded. The header and payload are JSON; the signature is a binary hash. JustKit:
- Decodes header and payload from base64url to JSON
- Pretty-prints the JSON
- Highlights expiration claims (
exp) and issued-at (iat) — converts unix timestamps to readable dates - Shows the signature segment but does not verify it (requires the secret/key)
FAQ
Does JustKit verify the signature?
No. Verification requires the secret key (HS*) or public key (RS*/ES*) which we don't have. For verification, use your JWT library (jsonwebtoken in Node, PyJWT in Python, etc).
Is it safe to paste a real token?
All decoding is client-side. The token never leaves your browser. That said, if a token is highly sensitive, prefer your library's debugger to any web tool — including this one.
Why does the payload show numbers for exp/iat?
JWT timestamp claims are Unix timestamps (seconds since 1970). JustKit shows them in human-readable form below the JSON.