Why does it say signature not verified?

JWT signature verification requires the secret key. This tool is a decoder only — it shows you the token contents without verifying them. For security-critical applications, always verify tokens server-side with the proper secret.

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange. It consists of three Base64-encoded parts: a header (algorithm and type), a payload (claims/data), and a signature.

JWT Decoder — Decode JSON Web Tokens Online

JWT token

About the JWT Decoder

JSON Web Tokens (JWTs) are the standard authentication token format used by most modern web APIs. They encode three pieces of information: the header (algorithm used to sign), the payload (claims — user ID, roles, expiry etc.), and the signature (used to verify authenticity).

What this tool does

It Base64-decodes the header and payload and displays them as readable JSON. If the payload contains an exp claim, it shows the expiry date/time and whether the token is currently valid or expired.

Security note

This tool does not verify the signature — that requires the secret key, which should never leave your server. The tool is decode-only and sends no data anywhere.

Frequently Asked Questions

Is this safe to use with real tokens?

The tool is decode-only and runs entirely in your browser. No data is sent anywhere. Still, avoid pasting tokens that grant access to live production systems.

Why is the signature not verified?

Verification requires the secret key. This is a decoder only. Always verify tokens server-side with the proper secret in production.

What is a JWT?

A JSON Web Token — compact Base64-encoded format for authentication. Three parts: header, payload (claims), and signature.

Developer Tools

Regex Tester JWT Decoder Timestamp URL Slug Cron Builder Hash Generator JSON Formatter Base64 URL Encoder UUID Generator