Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Cómo usar JWT Decoder
Paste a JWT in the form header.payload.signature.
Read the decoded header and payload as formatted JSON.
Check the expiry and issued times, and whether the token has expired.
Preguntas frecuentes
No. It decodes and displays the header and payload. Verifying the signature needs the signing secret or public key, which you should not paste into any web tool.
Decoding reads the Base64url header and payload, which are not encrypted. Verifying recomputes the signature with the key to prove the token is authentic and unmodified.
Decoding happens entirely in your browser, so the token is not uploaded. Still, treat live tokens as secrets and avoid pasting them on shared computers.
They are standard claims: iat is issued-at, nbf is not-valid-before, and exp is the expiry time. The decoder converts these Unix timestamps to readable local time.
Yes. Expiry does not change how a token is decoded, so you can inspect an expired token's claims and see exactly when it lapsed.
A JWT is signed, not encrypted. The payload is only Base64url-encoded, so anyone can read it. Never put secrets in a JWT payload.
A JSON Web Token has three parts separated by dots: a Base64url-encoded header, a Base64url-encoded payload, and a signature. This decoder splits and decodes the first two parts instantly in your browser, and the token never leaves your device.
The most common use is inspecting a token an API returned: who issued it (iss), when it expires (exp), what permissions it carries (scope or roles), and whether it has already expired. The expiry is shown in readable local time, not a raw Unix timestamp, so you can see at a glance whether the token is still valid.
Note: this tool decodes and displays, it does not verify the signature against a secret key. For signature verification you need the signing secret or public key, which should never be entered into a browser-based tool.
Herramientas relacionadas
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.
Convert colors between HEX, RGB and HSL with a live preview.
Convert Unix timestamps to human dates and back — UTC, local, ISO 8601 and relative time. Seconds and milliseconds are auto-detected.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Usamos cookies esenciales para que el sitio funcione. Con tu consentimiento también cargamos Google AdSense, que establece cookies publicitarias. Consulta nuestra política de privacidad.