JWT Decoder

Decode and inspect JSON Web Tokens — header, payload and expiry

What is it and how does it work?

A JWT decoder takes a JSON Web Token and shows what is inside: the header (algorithm and token type), the payload (the claims — user ID, roles, expiry time) and the signature. JWTs are the de-facto standard for stateless authentication in modern APIs and single-page applications: the server signs a token once, and every subsequent request proves identity by carrying it, with no session storage required. A JWT is just three Base64Url-encoded segments separated by dots — which means anyone can decode and read it; only the signature requires the secret key.

This tool decodes the header and payload instantly and highlights the registered claims, converting numeric dates like exp, iat and nbf into readable timestamps so you can see at a glance whether a token is expired. Decoding happens fully in your browser — the token is never sent anywhere, which matters because production tokens grant real access.

Common use cases

• Debugging 401 errors: decode the token your app is sending to check whether it is expired (exp), not yet valid (nbf) or missing a required claim.
• Inspecting third-party tokens: see exactly what user data and scopes an OAuth/OpenID Connect provider put inside its access or ID token.
• Verifying integration setup: confirm your backend issues tokens with the right audience (aud), issuer (iss) and role claims before going live.

Frequently asked questions

Is it safe to paste a JWT here?

The decoding runs entirely in your browser — the token never leaves your device. Still, treat production tokens like passwords: they grant access until they expire. Prefer testing with expired or staging tokens when possible.

Why can the token be read without the secret key?

JWTs are signed, not encrypted. Base64Url is an encoding anyone can reverse — the secret key is only needed to create or verify the signature. Never put sensitive data (passwords, card numbers) in a JWT payload; anyone holding the token can read it.

Does this tool verify the signature?

No — it decodes the content. Signature verification requires the secret (HMAC) or the public key (RSA/ECDSA) and should happen server-side. A decoded token that looks fine can still be forged if you skip verification on your backend.

What are exp, iat and nbf?

Registered time claims, as Unix timestamps: iat is when the token was issued, exp is when it expires, and nbf ("not before") is the earliest moment it becomes valid. The decoder converts all three into readable dates and flags expired tokens.

Developer

UUID Generator · Timestamp Converter · Base64 Encoder · Base64 Decoder · Hash Generator · Color Converter