JWT Decoder

Decode JWT header and payload in your browser, check expiry and claims — tokens never leave your device.

#development
Decoding only — the signature is NOT verified. Your token never leaves the browser.

About the JWT Decoder

Paste a JSON Web Token and instantly see what's inside: the decoded header with the signing algorithm, the full payload with every claim, and the registered timestamps (iat, exp, nbf) translated into human-readable dates. The tool also tells you at a glance whether the token has already expired or how long it has left — no more copying epoch seconds into a separate converter while you debug.

JWTs routinely carry session identifiers, user details and API scopes, so pasting one into an unknown website is a genuine security risk. This decoder parses everything locally in your browser: the token is never transmitted, logged or stored anywhere, which makes it safe to inspect real production tokens while debugging login flows, OAuth integrations, expiry bugs and misconfigured claims. Note that decoding only reads the token — the signature is not verified.

Features

  • Decoded header and payload shown side by side
  • iat, exp and nbf claims converted to readable dates
  • Clear expired or valid-until status at a glance
  • Handles standard and custom claims alike
  • Token is parsed locally — it never leaves your browser
  • Free, instant and no sign-up required

How to decode a JWT online

  1. Copy the JWT from your app, API response or browser storage.
  2. Paste the full token into the input box.
  3. Read the decoded header and payload immediately.
  4. Check the translated iat and exp dates and the expiry status.
  5. Review custom claims to confirm your auth flow sets them correctly.

Frequently asked questions

Is it safe to paste a real JWT here?

Yes. The token is split and Base64-decoded entirely inside your browser with JavaScript — no request carries it to a server, and nothing is logged or stored. That said, treat live production tokens like passwords: this tool won't leak them, but avoid pasting them into tools that can't make the same promise.

Does this tool verify the JWT signature?

No. It decodes the header and payload so you can read the claims, but it does not check the signature, because verification requires the issuer's secret or public key. Never trust a token's contents for authorisation decisions without verifying its signature server-side using the proper key.

Why can I read a JWT without the secret key?

Because JWTs are encoded, not encrypted. The header and payload are just Base64Url-encoded JSON that anyone can decode; the secret only produces the signature that proves the token wasn't tampered with. That's why sensitive data should never go in a JWT payload unless the token is additionally encrypted as a JWE.

What do iat, exp and nbf mean?

They're registered timestamp claims measured in Unix epoch seconds: iat is when the token was issued, exp is when it expires, and nbf is the moment before which it must not be accepted. This decoder converts all three to your local date and time and flags expired tokens automatically.

Why does my token fail to decode?

A valid JWT has exactly three Base64Url sections separated by dots: header, payload and signature. Decoding fails when the token was truncated during copying, wrapped in quotes or a 'Bearer ' prefix, or isn't a JWT at all. Paste the raw token only and make sure both dots survived the copy.