Drop in an access token, ID token, or session JWT and see exactly what it contains. This decoder splits the token on its dots, base64url-decodes the header and payload segments, and pretty-prints the resulting JSON so you can read every claim at a glance. Standard timestamp claims — exp, iat, and nbf — are also converted from Unix seconds into human-readable local and ISO 8601 strings, so you don't have to do the math by hand. The signature is never verified; this is purely a client-side inspector for understanding token contents during debugging.
Copy a token from an Authorization header, cookie, or login response and paste the full three-segment string into the input box.
The header panel shows the algorithm and token type exactly as they were encoded, so you can confirm what signing method the issuer used.
The payload panel pretty-prints every claim. Recognized timestamp fields (exp, iat, nbf) are annotated with a readable local time and ISO 8601 string next to the raw Unix value.
A status line reports whether the token parsed successfully and, if it has an exp claim, whether it is currently expired — all computed locally against your device clock.
Paste an access token returned from your login flow to confirm the issuer, audience, and scopes are what your backend expects before chasing a 401.
Quickly see the human-readable expiration time on a customer-reported token to determine whether "session expired" reports are simply a stale token.
Confirm that custom claims (roles, tenant IDs, permissions) are shaped the way your API middleware expects, without wiring up a full decode step in your app.
See the three-part anatomy of a real token — header, payload, signature — laid out side by side while studying how token-based auth works.
No. This is a decoder, not a validator. It only base64url-decodes the header and payload segments to show you their contents — it never checks the signature against a secret or public key, since doing that safely requires the issuer's key material, which this tool never asks for.
No. Decoding happens entirely in your browser using the built-in atob/TextDecoder APIs. The token never leaves your device, is not logged, and is not transmitted to any server.
A JWT must have exactly three dot-separated segments (header.payload.signature) and the header/payload segments must be valid base64url-encoded JSON. Truncated tokens, extra whitespace, or tokens that are actually opaque strings (not JWTs) will fail to decode.
They are registered JWT claims expressed as Unix timestamps (seconds since epoch): exp is the expiration time, iat is when the token was issued, and nbf is the earliest time the token is valid ("not before"). This tool converts each of these to a local and ISO time so you don't have to convert them manually.
No. This decoder handles standard signed JWTs (JWS) whose payload is plain base64url-encoded JSON. Encrypted JWTs (JWE) have a ciphertext payload that cannot be decoded without the decryption key, so they will not produce readable claims here.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "Ada Lovelace",
"iat": 1710000000, // 3/9/2024, 4:00:00 PM (local) · 2024-03-09T16:00:00.000Z
"exp": 1741536000 // 3/9/2025, 4:00:00 PM (local) · 2025-03-09T16:00:00.000Z
}