Developer Tools

JWT Decoder

Paste a JSON Web Token to instantly inspect its header, payload, and claims — decoded in your browser with no uploads.

No uploads — browser onlyInstant decode

JWT Token

Header & Payload

Decodes the header (algorithm, token type) and payload (claims) sections of any JWT.

Signature NOT verified

This tool decodes without verifying the signature. Never share production tokens in external tools.

Expiry Detection

The exp claim is automatically checked against the current time — expired tokens are flagged visually.

How to decode a JWT

Copy your JWT token (usually from an Authorization header, cookie, or dev tool).
Paste it into the input box above.
Click Decode JWT — header and payload are shown instantly.
Inspect claims, expiry date, issuer, and other fields.

Privacy — your tokens stay local

JWT decoding is pure base64url — no server call is needed. Your token never leaves your browser. Never paste production tokens containing sensitive data into external online tools.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way of transmitting claims between two parties. It has three base64url-encoded parts: header, payload, and signature, separated by dots.

Is the signature verified?

No — signature verification requires the secret key or public key used to sign the token. This tool only decodes the header and payload. For signature verification use your backend or a library like jsonwebtoken.

What claims are shown automatically?

The tool highlights standard registered claims: exp (expiry), iat (issued at), and nbf (not before) — converting Unix timestamps to human-readable UTC dates.

Is it safe to decode tokens here?

Decoding happens entirely in your browser — nothing is sent to a server. That said, avoid pasting real production tokens containing sensitive personal data into any web tool, including this one.

Why does my token show "invalid JWT"?

A valid JWT must have exactly three parts separated by dots. If your token is truncated, URL-encoded, or has extra whitespace it may fail. Make sure you copied the full token.