JWT Decoder

Paste a JWT to decode its header and payload. See expiration status, issued-at time, and all claims. Everything runs in your browser — nothing is sent to a server.

Note: This tool only decodes JWTs — it does not verify signatures. Never paste sensitive tokens from production systems.

How it works

A JSON Web Token is made up of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature. This tool splits the token, decodes the first two parts, and displays them as formatted JSON so you can inspect the algorithm, claims, and metadata inside.

Timestamps like exp (expiration), iat (issued at), and nbf (not before) are automatically converted to human-readable dates. The tool also tells you whether the token is currently expired, saving you the mental math of comparing Unix timestamps.

Note that this tool decodes but does not verify the signature — signature verification requires the secret or public key, which should never be pasted into a browser tool. Use this for debugging and inspection, not for security validation.