JWT Decoder

Link copied

Inspect any JSON Web Token (JWT) right in your browser. Paste a token and instantly see its decoded header and payload as formatted JSON, the signing algorithm, and the standard time claims — expiration, issued-at, and not-before — rendered as human-readable dates with an at-a-glance expired or active badge. The signature segment is shown as-is but never verified: decoding and verification are separate things, and this tool only reads what the token already contains. Everything runs locally on your device, so even tokens from production systems never leave your browser. Free, fast, and private.

Decoded locally in your browser. The signature is not verified, so a decoded token does not prove it is authentic or untampered.

How to use

Paste a JWT — three base64url segments joined by dots, header.payload.signature — into the box, or click Sample to load an example. The decoded header and payload appear as formatted JSON you can copy with one click, the algorithm and type are shown as chips, and any exp, iat, nbf, or auth_time claims are listed with their local and UTC times plus an expired, active, or not-yet-valid badge. Use Clear to start over.

Frequently asked questions

Does this verify the token's signature?
No. This tool only decodes a JWT — it base64url-decodes and JSON-parses the header and payload so you can read them. It does not verify the signature, check the issuer, or confirm the token hasn't been tampered with. A token that decodes successfully is not proof that it is authentic; always verify signatures server-side with the correct key before trusting a token.
How are exp and iat shown?
JWT time claims (exp, iat, nbf, auth_time) are stored as NumericDate values — seconds since the Unix epoch. The decoder converts them to a readable local date and time as well as the UTC ISO 8601 form. For exp it shows whether the token has expired, and for nbf whether it is not yet valid, based on your device's current clock.
Is my token uploaded anywhere?
No. The entire decode happens locally in your browser — nothing is sent to a server, logged, or stored. That makes it safe to inspect tokens from real systems, but remember a JWT's payload is only base64-encoded, not encrypted, so treat any token you paste as sensitive.