JWT Decoder

Paste a JSON Web Token and read exactly what's inside — header, payload, and expiry dates.

🔒 Runs entirely in your browser — your token never leaves your device

Waiting for a token…

How it works

A JWT is just three Base64URL-encoded pieces joined by dots — no secret needed to read them.

1

Paste the token

Drop in any JSON Web Token. It stays in your browser — nothing is sent anywhere.

2

Read the contents

The header and payload are Base64URL-decoded and pretty-printed as JSON.

3

Check the dates

Times like exp, iat and nbf are shown as real, readable dates.

About JSON Web Tokens

A JWT (JSON Web Token) is a compact way to carry information between two parties. It has three parts separated by dots: a header (which signing algorithm is used), a payload (the actual data, called claims), and a signature (used by the server to confirm the token wasn't tampered with).

The header and payload aren't encrypted — they're only Base64URL-encoded, which anyone can reverse. That's exactly what this tool does. Because of that, you should never put secrets in a JWT payload.

Important: decoding is not the same as verifying. This tool reads the token but does not check the signature, so it can't tell you whether a token is genuine. Always verify signatures on your server with the correct secret or public key before trusting a token.

🔒

Private by design. Everything happens right here in your browser. Your token is never uploaded — we never see it.

Frequently Asked Questions

What is a JWT?
A JSON Web Token is three pieces — a header, a payload and a signature — joined by dots. The header and payload are just encoded JSON, so they can be read without any secret.
Does this verify the token's signature?
No. This tool only decodes and displays what the token contains — it does not check the signature. Never trust a decoded token without validating it on your server.
Can I see when a token expires?
Yes. Standard time claims like exp (expires), iat (issued) and nbf (not before) are shown as human-readable dates so you can tell at a glance whether it's still valid.
Is it safe to paste a real token here?
The token is decoded entirely on your device and never leaves your browser. That said, treat any live token as a password — anyone who has it can use it until it expires.
Why does my token show as expired or invalid?
A JWT must have exactly three dot-separated parts. If it's missing a part, has extra characters, or its exp date is in the past, it will read as invalid or expired here.
Is my token uploaded anywhere?
No. Decoding happens entirely in your browser on your own device. Your token is never uploaded, and we never see it.