JWT Decoder
Paste a JSON Web Token and read exactly what's inside — header, payload, and expiry dates.
Waiting for a token…
Header
Payload
A JWT has three parts separated by dots: header.payload.signature.
How it works
A JWT is just three Base64URL-encoded pieces joined by dots — no secret needed to read them.
Paste the token
Drop in any JSON Web Token. It stays in your browser — nothing is sent anywhere.
Read the contents
The header and payload are Base64URL-decoded and pretty-printed as JSON.
Check the dates
Times like exp, iat and nbf are shown as real, readable dates.
About JSON Web Tokens
A JWT (JSON Web Token) is a compact way to carry information between two parties. It has three parts separated by dots: a header (which signing algorithm is used), a payload (the actual data, called claims), and a signature (used by the server to confirm the token wasn't tampered with).
The header and payload aren't encrypted — they're only Base64URL-encoded, which anyone can reverse. That's exactly what this tool does. Because of that, you should never put secrets in a JWT payload.
Important: decoding is not the same as verifying. This tool reads the token but does not check the signature, so it can't tell you whether a token is genuine. Always verify signatures on your server with the correct secret or public key before trusting a token.
Private by design. Everything happens right here in your browser. Your token is never uploaded — we never see it.
Frequently Asked Questions
What is a JWT? ▼
Does this verify the token's signature? ▼
Can I see when a token expires? ▼
exp (expires), iat (issued) and nbf (not before) are shown as human-readable dates so you can tell at a glance whether it's still valid.Is it safe to paste a real token here? ▼
Why does my token show as expired or invalid? ▼
exp date is in the past, it will read as invalid or expired here.