JWT Decoder — Frequently Asked Questions
Everything you need to know about using JWT Decoder.
Does the decoder verify the signature?
No. Signature verification requires the secret or public key, which we do not and should not have. Use this tool to inspect contents — always verify signatures server-side with the real key.
Can I decode any JWT?
Yes, as long as it follows the standard header.payload.signature structure and uses base64url encoding (which all JWTs do).
What if my token is not valid?
The decoder shows a clear error pointing to which part failed (header parse, payload parse, base64 decode). Most often it is a copy-paste truncation or extra whitespace.
Is it safe to paste a production token?
Decoding happens entirely in your browser — nothing is sent to a server. That said, a JWT is a credential. If your screen is shared or recorded, the decoded payload is visible.
Why are my dates showing as numbers?
JWT timestamps (iat, exp, nbf) are stored as seconds since 1970. The decoder converts them to human-readable dates with relative time ("expires in 2h") next to the raw values.