JWT Decoder

Decode JWT headers and payloads, inspect claims, and check expiry. Decode only, nothing is sent anywhere.

Token

About the JWT Decoder

A JSON Web Token carries claims about a user or system as three base64url encoded segments: a header describing the signing algorithm, a payload holding the claims, and a signature. This tool decodes the header and payload so you can read what a token actually says: who issued it, who it is for, when it expires, and any custom claims your application put in it.

Use it when debugging authentication. A request returns 401 and you want to know whether the token is expired, has the wrong audience, or is missing a scope. Paste the token, read the claims, and the expiry check tells you immediately whether time is the problem.

Tokens are credentials. Pasting one into a random website is how credentials leak, which is exactly why this decoder never transmits anything. Decoding is pure base64 and JSON parsing, done in your browser. You can disconnect from the internet and it still works.

One important limitation, by design: this tool does not verify signatures. Verification requires the signing secret or public key, and you should never paste secrets into any website. Decoding shows what a token claims; only your server, holding the key, can confirm the token is genuine.

Your ad could be here

Reach developers and designers who use these tools every day. Privacy-first, no trackers.

Frequently asked questions

Is it safe to paste a real token here?

The token never leaves your browser. Decoding is local base64 and JSON parsing with no network requests. That said, treat production tokens carefully everywhere; this tool is safe, but the habit of pasting tokens into websites is not.

Why does it say the signature is not verified?

Verifying a signature requires the secret or public key the token was signed with. A browser tool should never ask for signing secrets, so this tool decodes without verifying. Anyone can read a JWT; only the key holder can confirm it is authentic.

What are exp, iat, and nbf?

They are timestamps in seconds since 1970. exp is when the token expires, iat is when it was issued, and nbf is the earliest time it is valid. The tool converts each one to a readable date and checks exp against the current time.

Why does my token fail to decode?

Check that you pasted the whole token: three segments separated by dots. A common mistake is copying only part of it from a log line, or including extra characters. A Bearer prefix is fine; the tool strips it.

Are JWTs encrypted?

Standard signed JWTs (JWS) are not encrypted, only encoded. Anyone who has the token can read its contents, which is what this tool does. Never put secrets in JWT claims. Encrypted JWTs (JWE) exist but are much rarer and cannot be read without the key.

Web & Network

User-Agent Parser

Parse any user agent string into browser, engine, OS, device, and CPU details.

Web & Network

API Tester

Send REST requests from your browser, import or copy as cURL, and inspect the status, headers, timing, and response body.

Web & Network

Webhook Inspector

Get a unique URL, point a webhook at it, and inspect every request it receives in real time.

Web & Network

URL Encoder & Parser

Encode and decode URL components, and break any URL into protocol, host, path, and query parameters.

Web & Network

Timestamp Converter

Convert Unix timestamps to readable dates and back, with a live current timestamp and timezone support.

Web & Network

HTTP Status Codes

Searchable reference of every HTTP status code with what it means and when to use it.