JWT Decoder

Paste a JSON Web Token to decode its header and payload, inspect standard claims, and check expiration. All processing runs in your browser.

  • Runs entirely in your browser
  • No data stored or sent to a server
  • Free forever — no signup
  • Instant conversion

Input and Output

Use the interactive encoder and decoder on this page to process your text.

Learn more about JWT decoding

How to Decode and Inspect JWTs

JWT Decoding

When to Decode JWTs

Decode JWTs when debugging OAuth flows, inspecting API authorization headers, verifying claim values, or checking whether a token has expired — without needing a backend.

JWT Structure

A JSON Web Token has three Base64URL-encoded parts separated by dots: header.payload.signature. The header contains the algorithm; the payload holds claims; the signature verifies integrity.

Common Claims

  • exp — expiration time (Unix seconds)
  • iat — issued at time
  • sub — subject (usually user ID)
  • iss — issuer
  • aud — intended audience

Security Note

Decoding reveals the payload but does not verify the signature. A decoded JWT can still be forged. Never trust claims without signature verification using the issuer's public key or shared secret.

Frequently asked questions

Does this tool verify JWT signatures?

No. This decoder inspects the header and payload only. Signature verification requires the secret or public key and is not performed here.

Is it safe to paste production JWTs here?

Yes. All processing runs locally in your browser. Tokens are never sent to a server. However, treat decoded tokens as sensitive — anyone with the token can use it until it expires.

Why does my token show as expired?

The exp claim is compared against the current Unix timestamp. If exp is in the past, the token is expired and should be refreshed.