JWT decoder

Paste a JWT: the header and payload are decoded and pretty-printed, with issued-at and expiration times shown as readable dates and a warning if the token has expired.

๐Ÿ”’ Your token stays in your browser: it is never sent to any server.

What's inside a JWT

A JSON Web Token has three parts separated by dots: the header (the signing algorithm, such as HS256 or RS256), the payload (the "claims": who you are, when the token was issued, when it expires) and the signature. The first two parts are just Base64URL โ€” not encrypted. Anyone who receives the token can read them, and that's exactly what this tool does. The time-based claims iat (issued at), exp (expires at) and nbf (not valid before) are Unix timestamps in seconds: here they're converted to readable dates in your local time zone.

Heads up: this tool does not verify the signature

Decoding is not the same as validating: verifying the signature would require the secret key or the issuer's public key, which this tool doesn't have and never asks for. A token that decodes cleanly can still be forged or tampered with โ€” signature verification always belongs on the server. One more important tip: don't paste sensitive production tokens (active sessions, API keys). Even though nothing here leaves your browser, a valid token pasted around is like a password written on a sticky note. Use test tokens or ones that have already expired.