256 Tools

JWT Decoder

Your token is decoded in your browser and never sent anywhere.

Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1900000000
}
Time claims (your local time)
  • expMar 17, 2030, 5:46:40 PM
  • iatJan 18, 2018, 1:30:22 AM

This tool only decodes the token; it does not verify the signature, which requires the secret or public key.

Related external tools

Some links are affiliate links.

JetBrainsA developer tooling company behind popular IDEs like IntelliJ IDEA, WebStorm, PyCharm, and Rider. Known for deep code intelligence, refactoring support, and built-in debugging tools. Offers an All Products Pack subscription for access to the full suite.AmazonThe world's largest online marketplace for shopping, electronics, books, software, and more. Fast shipping, easy returns, and a vast product catalog make it a go-to for everyday purchases. Prime membership adds streaming, free shipping, and exclusive deals.

Related tools

JSON FormatterBeautify, minify and validate JSON in your browser. Broken JSON? See exactly which line and column is wrong, with the spot highlighted.Base64 Encode / DecodeEncode text to Base64 or decode Base64 to text instantly — UTF-8 safe (Japanese & emoji work), URL-safe Base64, image to data URL with preview. All in your browser.JSON to TypeScriptPaste JSON and instantly get clean TypeScript interfaces or types — nested objects, merged arrays, optional and nullable fields. Runs in your browser.URL Encoder / DecoderPercent-encode or decode text and full URLs, switch between component and full-URL modes, and break a query string into key/value pairs. All in your browser.

Paste a JSON Web Token (JWT) to instantly read its header and payload as formatted JSON. Time claims like expiry and issued-at are shown in your local time, and you can see at a glance whether the token has expired. Decoding happens entirely in your browser — your token is never uploaded.

How to use

  1. Paste your JWT into the box (the three parts separated by dots).
  2. Read the decoded header and payload below as formatted JSON.
  3. Check the time claims and expiry status, and copy what you need.

How it works

A JWT has three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON, so they can be decoded by anyone — they are not encrypted. The signature proves the token has not been tampered with, but verifying it needs the secret or public key, so this tool decodes only and never checks the signature.

A JWT splits into header, payload and signature parts.header.payload.signature

Features

Header & payload

Both parts are decoded and pretty-printed as readable JSON.

Readable times

Claims like exp, iat and nbf are shown in your local date and time, not raw numbers.

Expiry check

A clear badge tells you whether the token is still valid or has expired.

One-click copy

Copy the header or payload JSON to your clipboard in a click.

Fully local

Your token is decoded in the browser and is never sent to a server.

When to use it

API debugging

Inspect the claims in a token while testing a protected API endpoint.

Auth troubleshooting

Check the subject, roles and expiry when a login or session behaves unexpectedly.

Inspect a token

Quickly see what data a JWT carries without writing any code.

Learning

Explore the structure of JWTs to understand how token-based auth works.

Notes

  • This tool decodes only; it does not verify the signature.
  • JWT payloads are encoded, not encrypted — never treat them as secret.
  • Time claims (exp, iat, nbf) are UNIX seconds, shown here in your local time.
  • Decoding happens on your device, but avoid pasting sensitive tokens on shared computers.

FAQ

Does it verify the signature?
No. Verifying a JWT signature requires the secret or public key. This tool only decodes the header and payload so you can read them.
Is it safe to paste my token here?
Decoding happens entirely in your browser and the token is never uploaded. Still, avoid pasting live, sensitive tokens on a shared or public computer.
What is the exp claim?
exp is the expiry time as a UNIX timestamp (seconds). If it is in the past, the token is expired. This tool shows it in your local time.
What if the token is invalid?
If the token is not a valid JWT or its parts are not proper Base64URL JSON, an error message is shown instead of a result.
Should I keep my JWT secret?
Yes. Anyone with the token can read its payload and may be able to use it until it expires, so treat tokens like passwords.

We use cookies for ads and analytics.