Free · No signup · Runs entirely in your browser
JWT Decoder
Paste a JWT to see its header, payload and expiry. It's decoded locally in your browser — the signature is not verified, and nothing you paste ever leaves your machine.
How it works
- Paste a JWT into the text box (header.payload.signature).
- The header and payload are decoded and pretty-printed instantly.
- Check the expiry badge to see if the token is still valid.
- Copy the decoded payload as JSON when you're done.
Frequently asked questions
What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token made of three base64url-encoded parts — a header, a payload of claims, and a signature — separated by dots.
Does this verify the signature?
No — this tool only decodes the header and payload. It does not verify the signature, so a decoded token could have been tampered with or issued by anyone. Verification requires the secret key or public key it was signed with.
Is my token sent anywhere?
No. The token is decoded entirely locally in your browser using JavaScript — nothing you paste is uploaded or sent to a server.
What are exp, iat and nbf?
They are standard JWT claims: iat is when the token was issued, nbf is the earliest time it becomes valid, and exp is when it expires — all expressed as Unix timestamps (seconds since 1970).
Is it safe to paste a token here?
It stays in your browser and is never uploaded, but treat production tokens and secrets with care — avoid pasting sensitive tokens into any tool you don't fully trust, and prefer test tokens when possible.