JWT Decoder
Decode JWT header and payload instantly — with human-readable expiry dates. Nothing leaves your browser.
Decoding only — this tool does not and cannot verify the signature. Never trust a token's contents in production without server-side verification. Your token never leaves this page.
About this tool
A JSON Web Token looks like random gibberish, but it's actually three Base64URL-encoded segments separated by dots: a header (which algorithm signed it), a payload (the claims — user ID, roles, expiry), and a signature. Debugging authentication almost always starts with the same question: what's actually inside this token? Paste it here and both JSON documents appear, formatted and readable, instantly.
The decoder also translates the timestamps humans can't read: iat (issued at) and exp (expiry) are Unix epoch seconds like 1799150400, which this tool converts to your local date and time — and it tells you outright whether the token is expired or still valid. Since "why is this request getting 401?" is very often answered by "because the token expired an hour ago," that one line saves real debugging time.
Two honest notes, stated on the tool itself. First, this decodes but does not verify — checking a signature requires the secret or public key, and no paste-a-token website can legitimately do it. Never trust a token's claims server-side without verification. Second, and this is why running locally matters more here than for any other tool: JWTs are live credentials. Pasting one into a site that uploads it to a server is handing over a key. Here, the token never leaves your browser — decode with confidence.
How to use the JWT Decoder
- 1Paste your JWT (or click Load sample to see how it works).
- 2Read the decoded header and payload as formatted JSON.
- 3Check the timestamps section — expiry is shown in your local time, flagged expired or still valid.
- 4Remember: this reads the token; it does not verify the signature.
Frequently asked questions
Is it safe to paste a real JWT here?
Yes, on this tool specifically — decoding runs entirely in your browser and the token is never transmitted, logged or stored. That's a critical property, because JWTs are live credentials. Be wary of any decoder that can't make this guarantee.
Why doesn't this tool verify the signature?
Verification requires the signing secret (HMAC) or the issuer's public key (RSA/ECDSA) — which you shouldn't paste into any website. Decoding shows what a token claims; only your server, holding the key, can confirm those claims are authentic.
Aren't JWTs encrypted? How can this just read one?
Standard JWTs are signed, not encrypted — the payload is only Base64URL-encoded, which anyone can reverse. That's why you should never put secrets (passwords, card numbers) inside a JWT payload. The signature prevents tampering, not reading.
What are iat, exp and the other short claim names?
Registered claims from the JWT spec: iat = issued at, exp = expiry, sub = subject (usually the user ID), iss = issuer, aud = audience. This tool converts iat and exp to readable local dates and checks expiry for you.
Related tools
Base64 Encode / Decode
Convert text to Base64 and back — UTF-8 safe, so emoji and non-English characters survive.
Open toolJSON Formatter & Validator
Format, minify and validate JSON instantly — with exact error positions when something's wrong.
Open toolUUID Generator
Generate cryptographically secure UUID v4 identifiers — one at a time or 100 in bulk.
Open tool