JWT Decoder

Decode JSON Web Tokens to inspect header and payload claims, with expiry check. Decoding only — your token never leaves the browser.

● Runs locallyNothing uploadedFree foreverNo sign-up needed

About this tool

Paste a JWT to see its decoded header and payload as formatted JSON, with human-readable timestamps for the iat, exp and nbf claims and a clear expired / valid indicator. The signature segment is shown but not verified — verification requires the signing secret or public key, which should never be pasted into a website.

A JWT is three Base64URL segments — header.payload.signature — and the first two are merely encoded, not encrypted. That makes inspection trivial, and it is also why secrets must never be stored in JWT claims. This decoder runs entirely locally, which matters because production tokens grant real access.

How to use it

  1. Paste the full token (xxxxx.yyyyy.zzzzz).
  2. Read the decoded header and payload, with claim timestamps translated.
  3. Check the expiry indicator before debugging further.

Frequently asked questions

Is decoding a JWT the same as verifying it?

No. Decoding just reads the public segments. Verification cryptographically checks the signature against a key — something a server should do, never a random web page.

Why does my decoded token show strange numbers for exp?

JWT timestamps are Unix epoch seconds. This tool converts them to your local date and time automatically.

Is it safe to paste a real token here?

The decode happens in your browser with no network requests, so the token is not transmitted. Still, prefer expired or development tokens as a habit.