JWT Decoder
Decode JWT headers and payloads. Highlights expired tokens and labels standard claims. Does not verify signatures — browser-only.
About this tool
A JSON Web Token is three Base64url-encoded parts separated by dots: a header, a payload, and a signature. This tool decodes the header and payload so you can inspect what a token contains without trusting it.
The decoder highlights exp (expiration) and nbf
(not-before) claims — the two most common reasons a token is rejected
at runtime. Standard claims are labeled with their conventional
meaning, and epoch timestamps are shown in ISO-8601 alongside the raw
number.
Signature verification is not performed. A valid-looking decoded payload doesn’t tell you whether the token was signed by a trusted issuer or tampered with. Signature verification belongs on the server and requires the signing key or public key.
Frequently asked questions
Does this verify the JWT signature?
No. Verification requires the signing key or public key paired with the token. This tool decodes only — it shows you what the token claims. Do not trust any claim you see here without server-side verification.
Is it safe to paste a real production JWT here?
The JWT never leaves your browser — decoding happens in-page via JavaScript. That said, JWTs are bearer credentials, so treat them like passwords. If you’re debugging a token you received, consider that browser extensions and devtools history may retain the URL hash.
What claims does the decoder label?
Standard claims are labeled with their meaning: iss (Issuer), sub (Subject), aud (Audience), exp (Expires at), nbf (Not valid before), iat (Issued at), jti (JWT ID). Epoch timestamps are rendered in ISO-8601 alongside the raw number.
What does "expired" mean?
The token’s exp claim is a Unix timestamp in the past. Servers will reject expired tokens. The decoder highlights expiration so you can tell at a glance whether a debugging token is stale.
What algorithms are supported?
Decoding is algorithm-independent — the decoder only reads the header and payload. Algorithm is relevant for verification, which this tool does not perform.