JWT Decoder

Decode a JSON Web Token to inspect its header, payload and claims, with expiry checking. Decoding happens locally — your token never leaves the browser.

Decodes locally in your browser — the token is never uploaded. The signature is not verified; do not use this to trust a token.

How JWT decoding works

A JSON Web Token is three Base64URL-encoded segments joined by dots: a header (algorithm and type), a payload (the claims) and a signature. The first two are plain encoded JSON that anyone can read — this tool decodes them and pretty-prints the result, flags expired tokens via the exp claim, and shows registered claims like iss, sub and aud in human-readable form. It does not and cannot verify the signature, which requires the signing secret or public key.

jwt = base64url(header) + "." + base64url(payload) + "." + signature

Frequently asked questions

Does this tool verify the signature?

No. It decodes and displays the token only. Signature verification requires the secret or public key the token was signed with, and must happen on the server that trusts the token. Never treat a decoded token as authentic.

Is my token sent to a server?

No. The token is decoded entirely in your browser with local Base64URL and JSON parsing. It is never transmitted, logged or placed in the page URL. Still, avoid pasting production tokens anywhere you don't have to.

What are the exp, iat and nbf claims?

They are Unix timestamps (seconds): exp is when the token expires, iat is when it was issued, and nbf is the moment before which it must not be accepted. This tool converts each to a readable date and marks tokens past their exp as expired.

Last updated: 7 July 2026

More tools

Runs entirely in your browser — nothing you enter is uploaded. DevMint · MintKit