JWT Decoder

Decode a JSON Web Token to inspect its header and claims, with human-readable timestamps and expiry status. Runs 100% in your browser — your token is never uploaded.

Sponsored
🔒 Your token never leaves this page. Decoding happens entirely in your browser — nothing is uploaded or logged.
Sponsored

Frequently asked questions

Is my token sent to a server?

No. All decoding happens locally in your browser using JavaScript. Your JWT is never transmitted, logged or stored, so it's safe to paste real tokens.

Does this verify the signature?

No — and that's deliberate. Verifying a signature requires the secret or public key, which you should never paste into a website. This tool decodes and inspects the header and payload; use your backend to verify signatures.

Why can I read the payload without a key?

Because a JWT payload is only Base64URL-encoded, not encrypted. That's by design — never put secrets in a JWT payload, since anyone holding the token can read it.

What does 'expired' mean here?

If the payload has an exp claim, the tool compares it to the current time and flags whether the token is still valid or has expired. It also reads nbf (not-before) if present.

About JWT decoding