JWT Decoder

Reserved · Sponsored728 × 90 · zero layout shift

What this tool does

Drop in an access token, ID token, or session JWT and see exactly what it contains. This decoder splits the token on its dots, base64url-decodes the header and payload segments, and pretty-prints the resulting JSON so you can read every claim at a glance. Standard timestamp claims — exp, iat, and nbf — are also converted from Unix seconds into human-readable local and ISO 8601 strings, so you don't have to do the math by hand. The signature is never verified; this is purely a client-side inspector for understanding token contents during debugging.

How to use

  1. 1
    Paste the JWT

    Copy a token from an Authorization header, cookie, or login response and paste the full three-segment string into the input box.

  2. 2
    Review the decoded header

    The header panel shows the algorithm and token type exactly as they were encoded, so you can confirm what signing method the issuer used.

  3. 3
    Inspect the payload claims

    The payload panel pretty-prints every claim. Recognized timestamp fields (exp, iat, nbf) are annotated with a readable local time and ISO 8601 string next to the raw Unix value.

  4. 4
    Check the status line

    A status line reports whether the token parsed successfully and, if it has an exp claim, whether it is currently expired — all computed locally against your device clock.

Use cases

  • Debug an auth integration

    Paste an access token returned from your login flow to confirm the issuer, audience, and scopes are what your backend expects before chasing a 401.

  • Check token expiry during support

    Quickly see the human-readable expiration time on a customer-reported token to determine whether "session expired" reports are simply a stale token.

  • Verify claim structure during development

    Confirm that custom claims (roles, tenant IDs, permissions) are shaped the way your API middleware expects, without wiring up a full decode step in your app.

  • Learn how JWTs are structured

    See the three-part anatomy of a real token — header, payload, signature — laid out side by side while studying how token-based auth works.

FAQ

Does this tool verify the JWT signature?+

No. This is a decoder, not a validator. It only base64url-decodes the header and payload segments to show you their contents — it never checks the signature against a secret or public key, since doing that safely requires the issuer's key material, which this tool never asks for.

Is my token sent anywhere?+

No. Decoding happens entirely in your browser using the built-in atob/TextDecoder APIs. The token never leaves your device, is not logged, and is not transmitted to any server.

Why do I see a red error for my token?+

A JWT must have exactly three dot-separated segments (header.payload.signature) and the header/payload segments must be valid base64url-encoded JSON. Truncated tokens, extra whitespace, or tokens that are actually opaque strings (not JWTs) will fail to decode.

What do exp, iat, and nbf mean?+

They are registered JWT claims expressed as Unix timestamps (seconds since epoch): exp is the expiration time, iat is when the token was issued, and nbf is the earliest time the token is valid ("not before"). This tool converts each of these to a local and ISO time so you don't have to convert them manually.

Can this tool decode encrypted JWTs (JWE)?+

No. This decoder handles standard signed JWTs (JWS) whose payload is plain base64url-encoded JSON. Encrypted JWTs (JWE) have a ciphertext payload that cannot be decoded without the decryption key, so they will not produce readable claims here.

Related tools