Decode JSON Web Tokens instantly. Inspect header, payload, claims, and expiration. Nothing is sent anywhere.
JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims transferred between two parties. This tool splits any JWT into its three Base64url-encoded segments β header, payload, and signature β and renders each as a readable, collapsible JSON tree so you can immediately see the algorithm, subject, issuer, and custom claims without writing any code.
It also computes human-readable timestamps for iat, exp, and nbf claims so you can instantly check whether a token is still valid. Everything runs entirely inside your browser β your JWT is never sent to any server.
exp (expiry) timestamp is set correctly and hasn't already passed in production or staging environments.alg) and key ID (kid) headers when troubleshooting JWKS key-rotation problems.No β signature verification requires the secret key (HMAC) or the public key (RSA/ECDSA), which you should never paste into any online tool. This decoder only reads the header and payload, which are Base64url-encoded plain data. Use your backend SDK or a trusted library to verify the signature server-side.
All decoding happens locally in JavaScript β nothing is transmitted to any server. That said, treat bearer tokens as passwords: avoid pasting live tokens into any external service. Use short-lived test tokens or redact sensitive claim values when sharing decoded output.
JWT expiry (exp) is a Unix timestamp in seconds. Many libraries and identity providers build in a clock-skew tolerance (typically 0β5 minutes) so minor time differences between servers don't reject valid tokens. If the token shows as expired here but your server still accepts it, the server is applying that leeway intentionally.