πŸ”

JWT Decoder & Inspector

Decode JSON Web Tokens instantly. Inspect header, payload, claims, and expiration. Nothing is sent anywhere.

JWT Token

About JWT Decoder & Inspector

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims transferred between two parties. This tool splits any JWT into its three Base64url-encoded segments β€” header, payload, and signature β€” and renders each as a readable, collapsible JSON tree so you can immediately see the algorithm, subject, issuer, and custom claims without writing any code.

It also computes human-readable timestamps for iat, exp, and nbf claims so you can instantly check whether a token is still valid. Everything runs entirely inside your browser β€” your JWT is never sent to any server.

Common Use Cases

How to Use

  1. Paste your JWT string (the three dot-separated segments) into the input field at the top of the page.
  2. The header and payload panels update instantly, showing each field as colour-coded JSON with collapsible nested objects.
  3. Check the Token Status section to see whether the token is currently valid, expired, or missing an expiry claim.
  4. Use the Copy buttons on either panel to copy the header or payload as formatted JSON for use in documentation or bug reports.

Frequently Asked Questions

Can this tool verify the JWT signature?

No β€” signature verification requires the secret key (HMAC) or the public key (RSA/ECDSA), which you should never paste into any online tool. This decoder only reads the header and payload, which are Base64url-encoded plain data. Use your backend SDK or a trusted library to verify the signature server-side.

Is it safe to paste a production JWT here?

All decoding happens locally in JavaScript β€” nothing is transmitted to any server. That said, treat bearer tokens as passwords: avoid pasting live tokens into any external service. Use short-lived test tokens or redact sensitive claim values when sharing decoded output.

Why does the expiry show a time in the past even though my app still accepts the token?

JWT expiry (exp) is a Unix timestamp in seconds. Many libraries and identity providers build in a clock-skew tolerance (typically 0–5 minutes) so minor time differences between servers don't reject valid tokens. If the token shows as expired here but your server still accepts it, the server is applying that leeway intentionally.

Advertisement