Any file. Any shape.

JWT Decoder

Decode a JWT into its header and payload — free, instant, and entirely private.

🔒 Your files never leave your browser

How it works

A JWT (JSON Web Token) is three base64url-encoded parts separated by dots: a header describing the signing algorithm, a payload carrying the actual claims (user ID, roles, expiration, and so on), and a signature. This tool splits the token on those dots, base64url-decodes the header and payload, and pretty-prints the resulting JSON — entirely inside your browser tab, using nothing more than built-in JavaScript APIs.

If the payload includes an exp claim, it's compared against your system clock and shown as expired or still valid, along with the human-readable expiration and issued-at times. The signature is shown as-is for reference; verifying it would require the issuer's secret or public key, which this tool deliberately never asks for or has.

JWTs are widely used for stateless authentication and API authorization — decoding one is useful for debugging why a login isn't working, checking what claims a token actually carries, or confirming an expiration time without needing access to the backend that issued it.

Limitations

This tool cannot and does not verify a token's signature — that would require a key this tool intentionally never has access to. It only decodes and displays the header and payload contents; treat any token you paste here as something you already trust the contents of, not something this tool vouches for.

FAQ

Is this JWT decoder really free?
Yes — completely free, with no limits and no account required. Decoding happens locally in your browser, so there's no server cost to recoup.
Does this verify the token's signature?
No — verifying a signature requires the secret (for HS256) or public key (for RS256/ES256) that only the issuer has. This tool only decodes the header and payload so you can read what's inside; it doesn't and can't confirm the token is authentic.
Is it safe to paste a real production JWT here?
The token is decoded entirely in your browser tab using plain JavaScript — it's never uploaded or sent over the network. That said, a JWT's payload is only base64-encoded, not encrypted, so anyone who has the token can already read its contents; treat tokens themselves as sensitive.
Why does it say a token is expired?
JWTs commonly include an `exp` claim — a Unix timestamp of when the token stops being valid. This tool compares that timestamp to your current system clock and flags it if it's already in the past. If a token has no `exp` claim, there's nothing to check.