devtools

JWT Decoder

Decode JSON Web Tokens and inspect header, payload, expiry and claims.

client-sidefreeno-signup
{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
not verified
49f94ac7044948c78a285d904f87f0a4c7897f7e8f3a4eb2255fda750b2cc397
decoded locally · never sent anywhere · signatures are not verified
// how to use

How to use the JWT Decoder

A JSON Web Token has three Base64url parts separated by dots: header.payload.signature. Paste a token to decode the header and payload into readable JSON, inspect its claims, and see whether it has expired — all without leaving your browser.

  1. 01Paste a JWT into the input box.
  2. 02Read the header and payload as formatted JSON, and the signature as hex.
  3. 03If the payload has an exp claim, a banner shows whether the token is still valid or already expired.

tips

  • Decoding is not verifying. Anyone can read the payload — the signature is what proves the token wasn’t tampered with, and this tool does not check it.
  • It is safe to paste a token here: nothing is sent anywhere. Still, never share a live access token publicly.
  • The exp, iat and nbf claims are Unix timestamps in seconds.

frequently asked

What is a JWT?+

A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64url parts separated by dots: header.payload.signature. The header describes the algorithm, the payload carries claims (like user id, issuer, expiry), and the signature proves integrity. JWTs are widely used for authentication and API authorization.

Does decoding a JWT verify it?+

No. Decoding only reads the unencrypted header and payload — anyone can do that. Verifying the signature requires the secret or public key and proves the token was not tampered with. This tool decodes only; it does not verify signatures.

Is it safe to paste my JWT here?+

Decoding happens entirely on your device in JavaScript — the token is never sent anywhere. That said, never share a live access token publicly: although the payload is not encrypted, it still leaks claims like user IDs, and anyone who has the full token can use it until it expires.

How do I know if my token is expired?+

Check the exp claim in the payload. It is a Unix timestamp in seconds. This tool automatically compares it to the current time and flags expired tokens. Tokens without an exp claim never expire by themselves.

related tools

Base64 Encode / Decode