Is my token sent to a server?

No. The token is split and Base64URL-decoded locally with the browser's built-in atob() and JSON.parse(). It never leaves your device, so it is safe to use with real tokens.

Does this verify the signature?

No. Verifying a JWT signature requires the secret or public key, which is server-side information. This tool decodes and explains only the readable header and payload — exactly what any recipient sees before verifying.

How accurate are the claim descriptions?

The standard registered claims (iss, sub, aud, exp, nbf, iat, jti) follow their RFC 7519 definitions. Any non-standard key is labelled as a custom application claim rather than guessed.

JWT Claims Explainer

JWT claims explainer

Paste a JSON Web Token and see not just the decoded header and payload, but a plain-English explanation of every standard registered claim — iss, sub, aud, exp, nbf, iat, jti and more.

Time claims are converted to readable UTC dates, and the token is flagged when it is expired or not yet valid. Custom application claims are labelled as such instead of being guessed.

Everything runs in your browser — the token is never transmitted, so it is safe to paste real credentials. The signature is shown but never verified, since that needs a key you should never paste into a web page.