JWT Token Decoder

Decode and inspect JSON Web Tokens.

Runs in your browser All processing happens locally. Your data never leaves this device.

Decoding only — the signature is not verified. Nothing is sent anywhere.

Overview

A JSON Web Token (JWT) has three Base64URL parts separated by dots: header.payload.signature. The header and payload are JSON; the signature proves the token was issued by a party holding the signing key. This tool decodes the header and payload so you can inspect the claims — locally, without transmitting the token.

How to use

  1. Paste a JWT.
  2. The decoded header and payload appear as formatted JSON.
  3. Time-based claims (iat, exp, nbf) are shown as dates, with an expiry status.

Notes

FAQ

Does this verify the signature?
No. This tool only decodes the Base64URL-encoded header and payload so you can read the claims. It does not verify the signature, which would require the signing key. Never trust a token's contents based on decoding alone.
Is my token sent to a server?
No. Decoding happens entirely in your browser. This matters because JWTs often contain sensitive claims or are themselves credentials — pasting one into a server-side decoder could leak it.
What do iat, exp, and nbf mean?
They are standard registered claims — issued-at, expiration, and not-before — expressed as Unix timestamps. This tool converts them to readable dates and flags whether the token is expired.
Is it safe to paste a real token here?
Because decoding is local and nothing is transmitted, it is far safer than server-side tools. Still, treat production tokens as secrets and avoid pasting them into any tool you do not trust.