JWT Decoder

Decode and inspect JWT tokens.

100% private. Decoding happens locally in your browser — your token is never sent, uploaded, or stored anywhere.

Free online JWT decoder

Paste a JSON Web Token to instantly decode and inspect its contents. This JWT decoder splits the token into its three parts, Base64url-decodes the header and payload, and pretty-prints them as readable JSON — all live as you type. It also converts the standard iat, nbf, and exp timestamps into human-readable dates and warns you when a token has expired. It is perfect for debugging authentication flows, inspecting access tokens, and understanding what claims an API is sending.

How to decode a JWT

  1. Copy your token and paste it into the box above.
  2. Read the decoded Header and Payload as formatted JSON.
  3. Check the issued, not-before, and expiry dates, and watch for an expired flag.
  4. Click Copy header or Copy payload to grab either section.

Decoding is not verifying

A JWT is only Base64url-encoded, not encrypted, so anyone can read its payload — that is exactly what this tool does. Decoding a token tells you nothing about whether it is authentic or still valid. The signature must be checked on your server with the correct key before you trust any claim. If you want to inspect the raw encoding by hand, try the Base64 decoder, and to tidy up a decoded payload use the JSON formatter.

Private by design

Every part of the decode runs in your browser with JavaScript. Your token is never uploaded or logged, so it is safe to inspect sensitive access tokens and credentials. When you are finished, click Clear to wipe the box.

Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64url-encoded parts separated by dots: a header, a payload, and a signature. The header describes the signing algorithm, the payload holds claims such as the subject and expiry, and the signature lets a server verify the token was not tampered with. JWTs are widely used for authentication and stateless sessions.

Does this tool verify the signature?

No. This is a decoder, not a validator. It splits the token and Base64url-decodes the header and payload so you can read them, but it does not check the signature or the secret. A decoded token tells you what a JWT claims — never treat it as proof that the token is authentic or unexpired. Always verify signatures on your server with the correct key.

Is my token sent to a server?

No. Decoding happens entirely in your browser with JavaScript. Your token is never uploaded, logged, or stored, so it is safe to inspect access tokens and other sensitive credentials here. For extra safety, clear the box when you are done.

What do exp, iat, and nbf mean?

These are standard registered claims expressed as Unix timestamps in seconds. "iat" (issued at) is when the token was created, "nbf" (not before) is the earliest time it may be used, and "exp" (expiration) is when it stops being valid. This tool converts each of them to a human-readable date and flags a token whose expiry is in the past.

Why does my token show as expired?

If the payload contains an "exp" claim whose time has already passed, the decoder shows an expired note. Bear in mind the check uses your device clock, and this tool does not verify signatures — a server may still reject a token for other reasons even if the expiry looks fine.