Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
How to use the JWT Decoder
Paste a JWT in the form header.payload.signature.
Read the decoded header and payload as formatted JSON.
Check the expiry and issued times, and whether the token has expired.
Frequently asked questions
No. Verifying a signature needs the secret or public key. This tool only base64url-decodes and parses the header and payload so you can inspect the claims.
Decoding happens entirely in your browser and nothing is sent anywhere. Still, avoid pasting production tokens you do not control, since a JWT payload is not encrypted.
They are standard time claims in Unix seconds: exp is the expiry, iat is when the token was issued, and nbf is the earliest time it is valid. The tool shows them as readable dates.
A JWT is signed, not encrypted. The header and payload are only base64url-encoded, so anyone can read them. The signature only proves they were not tampered with.
This JWT decoder splits a JSON Web Token into its three parts and decodes the header and payload into readable JSON. It highlights the standard time claims and flags tokens that have expired.
It is a debugging aid for developers working with authentication. Decoding is client-side only; it does not verify signatures and your tokens never leave your device.
Related tools
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.
Convert colors between HEX, RGB and HSL with a live preview.
Convert Unix timestamps to human dates and back — UTC, local, ISO 8601 and relative time. Seconds and milliseconds are auto-detected.
Percent-encode and decode URLs and URL components, UTF-8 safe.
We use essential cookies to run the site. With your consent we also load Google AdSense, which sets advertising cookies. See our privacy policy.