JWT Decoder

Decode a JWT in your browser. View header, payload, and expiry. Token is never sent anywhere.

JWT (JSON Web Token, RFC 7519) is a compact, URL-safe way to pass claims between two parties — most commonly between an API and its clients. A JWT is three Base64URL-encoded sections joined by dots: header.payload.signature.

This decoder parses the header and payload only — it does not verify the signature, which would require the secret or public key. Decoding a token is safe to do anywhere; verifying one requires the server-side keys.

Standard timestamp claims — exp (expires), nbf (not before), and iat (issued at) — are rendered in human-readable form, with a clear expired/valid pill so you can spot at a glance whether the token is still usable.

Example

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUiLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "Jane", "iat": 1516239022 }

Frequently asked questions

Is my token sent anywhere?

No. The token is decoded locally in your browser — nothing is transmitted, logged, or stored.

Can this verify the signature?

No — verifying requires the secret or public key, and pasting either of those into a web tool would defeat the security model. Use a server-side library (jsonwebtoken, jose, etc.) for verification.

What does 'JWT expired' mean?

The exp (expiration) claim is in the past, so most APIs will reject the token. Refresh it through your auth provider to get a new one.

Related tools