JWT decoder
Paste a JWT: the header and payload are decoded and pretty-printed, with issued-at and expiration times shown as readable dates and a warning if the token has expired.
What's inside a JWT
A JSON Web Token has three parts separated by dots: the header (the signing
algorithm, such as HS256 or RS256), the payload (the "claims": who you are,
when the token was issued, when it expires) and the signature. The first two
parts are just Base64URL โ not encrypted. Anyone who receives the token can read them, and
that's exactly what this tool does. The time-based claims iat (issued at),
exp (expires at) and nbf (not valid before) are Unix timestamps in
seconds: here they're converted to readable dates in your local time zone.
Heads up: this tool does not verify the signature
Decoding is not the same as validating: verifying the signature would require the secret key or the issuer's public key, which this tool doesn't have and never asks for. A token that decodes cleanly can still be forged or tampered with โ signature verification always belongs on the server. One more important tip: don't paste sensitive production tokens (active sessions, API keys). Even though nothing here leaves your browser, a valid token pasted around is like a password written on a sticky note. Use test tokens or ones that have already expired.