JWT Decoder
Inspect JWT header, payload & claims.
How to use
- 1 Paste the JWT (header.payload.signature).
- 2 Read the decoded header and payload.
- 3 Check the highlighted iat / exp / nbf claims and expiry status.
- 4 Copy any part you need.
About JWT Decoder
A JSON Web Token (JWT) is three Base64URL-encoded segments — header, payload and signature — separated by dots.
This decoder splits the token, decodes the header and payload to readable JSON, and surfaces the standard time claims (iat, exp, nbf) as human dates, flagging whether the token has expired.
It deliberately does not verify the signature, because verification requires the secret or public key, which you should never paste into a website.
That is exactly why decoding belongs in the browser: tokens carry identity and session data, and this tool reads them locally without ever transmitting them.
Use it to debug auth flows, check what scopes a token carries, or confirm an expiry time.
FAQ
Does it verify the signature?
No. Verification needs the signing key, which you should never share. This tool only decodes — safely and locally.
Is my token sent anywhere?
Never. Decoding happens entirely in your browser.