JWT Decoder
Decode a JWT into its header and payload — free, instant, and entirely private.
How it works
A JWT (JSON Web Token) is three base64url-encoded parts separated by dots: a header describing the signing algorithm, a payload carrying the actual claims (user ID, roles, expiration, and so on), and a signature. This tool splits the token on those dots, base64url-decodes the header and payload, and pretty-prints the resulting JSON — entirely inside your browser tab, using nothing more than built-in JavaScript APIs.
If the payload includes an exp claim, it's compared against your system clock and shown as expired or still valid, along with the human-readable expiration and issued-at times. The signature is shown as-is for reference; verifying it would require the issuer's secret or public key, which this tool deliberately never asks for or has.
JWTs are widely used for stateless authentication and API authorization — decoding one is useful for debugging why a login isn't working, checking what claims a token actually carries, or confirming an expiration time without needing access to the backend that issued it.
Limitations
This tool cannot and does not verify a token's signature — that would require a key this tool intentionally never has access to. It only decodes and displays the header and payload contents; treat any token you paste here as something you already trust the contents of, not something this tool vouches for.
FAQ
- Is this JWT decoder really free?
- Yes — completely free, with no limits and no account required. Decoding happens locally in your browser, so there's no server cost to recoup.
- Does this verify the token's signature?
- No — verifying a signature requires the secret (for HS256) or public key (for RS256/ES256) that only the issuer has. This tool only decodes the header and payload so you can read what's inside; it doesn't and can't confirm the token is authentic.
- Is it safe to paste a real production JWT here?
- The token is decoded entirely in your browser tab using plain JavaScript — it's never uploaded or sent over the network. That said, a JWT's payload is only base64-encoded, not encrypted, so anyone who has the token can already read its contents; treat tokens themselves as sensitive.
- Why does it say a token is expired?
- JWTs commonly include an `exp` claim — a Unix timestamp of when the token stops being valid. This tool compares that timestamp to your current system clock and flags it if it's already in the past. If a token has no `exp` claim, there's nothing to check.