JWT Decoder — Inspect JSON Web Tokens Online Decode and inspect JSON Web Tokens
100% offline
Input151 chars · 1 lines
OutputNo expiry222 chars
Decoded
HEADER
{
  "alg": "HS256",
  "typ": "JWT"
}

PAYLOAD
{
  "sub": "1234567890",
  "name": "Anvil",
  "iat": 1516239022
}

CLAIMS
Issued     Thu, 18 Jan 2018 01:30:22 GMT

SIGNATURE
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

About JWT Decoder — Inspect JSON Web Tokens Online

A JSON Web Token (JWT) is a compact, signed token used for authentication and authorization — typically sent in an `Authorization: Bearer` header on API requests. It has three Base64url-encoded parts separated by dots: a header (algorithm), a payload (claims like the subject, issued-at, and expiry), and a signature.

This free JWT decoder reveals the header, payload, and standard claims of any token, and flags whether it has expired — the expiry badge reads the `exp` claim so you can tell at a glance if a token is still live. Everything happens in your browser; your tokens are never sent to a server.

Features

  • Decode the header and payload of any JWT
  • See standard claims: issued-at (iat), expiry (exp), not-before (nbf)
  • Expiry badge — instantly see if a token is still valid
  • Decoding is 100% offline; tokens never leave your device

How to use

  1. Paste a JWT (it usually starts with "eyJ") into the input pane.
  2. Read the decoded header, payload, claims, and signature in the output.
  3. Check the badge to see whether the token is valid or expired.

Frequently asked questions

Does decoding a JWT verify it?

No. Decoding just reads the Base64url-encoded parts — anyone can do that. Verifying authenticity requires checking the signature with the secret or public key, which is a separate step.

How do I verify a JWT signature, or decode one without the secret?

Decoding never needs the secret — the header and payload are only Base64url-encoded, so this tool reads them straight away without any key. Verifying is the separate step: it recomputes the signature using the secret (HMAC) or public key (RSA/ECDSA) and checks it matches. This tool decodes and inspects; it does not verify, so a decoded token is not a trusted one until your backend has checked the signature.

Is it safe to paste a token here?

Yes. Decoding happens entirely in your browser and nothing is uploaded. Still, treat production tokens as secrets and avoid pasting them anywhere you do not trust.

What do iat, exp, and nbf mean?

They are standard time claims: iat = issued-at, exp = expiry, nbf = not-before. The tool renders each as a human-readable UTC date.

Related tools

Base64 Encode & Decode Online – Free Tool Encode and decode Base64 strings JSON Formatter, Validator & Beautifier Format, validate and minify JSON Hash Generator — SHA-256, SHA-1 & SHA-512 Online SHA-1, SHA-256 and SHA-512 digests

Everything runs locally in your browser — your input is never uploaded.