Paste a JSON Web Token to see its header and payload. This only decodes — it never verifies the signature, and the token never leaves your browser.
A JWT's header and payload are just Base64URL-encoded JSON — anyone can decode them without a key, which is exactly what this tool does. Verifying the signature is a different operation entirely: it proves the token wasn't tampered with, and it requires the issuer's secret or public key, which this page never asks for or has access to. Don't treat a decoded-but-unverified token as trustworthy in your own code.
exp — expiration time (Unix timestamp)iat — issued-at timesub — subject, usually the user IDiss — issueraud — intended audience