Free · No signup · Runs in your browser

JWT Decoder

Paste a JSON Web Token and read its header and payload as clean JSON, with epoch claims rendered as UTC times — decoded entirely in your browser.

01 · How it works

Three steps, then done.

Paste a token, get a labelled report instantly. The decoder splits the token on its dots, base64url-decodes the header and payload, and pretty-prints both — then translates the time claims into readable UTC.

1

Paste your token

Drop the full JWT — three base64url segments joined by dots — into the box. The signature segment is kept for structure but never verified.

2

Read the decoded report

The HEADER and PAYLOAD sections appear as formatted JSON. Standard time claims (iat, nbf, exp, auth_time) are also shown as UTC timestamps.

3

Spot expiry at a glance

The status line names the signing algorithm and flags the token as expired when its exp claim is in the past. Copy or download the report when you're done.

02 · Why ours

Inspect tokens without leaking them.

A JWT often carries identity, scopes, and session data. Pasting one into a server-backed decoder ships that payload to someone else's machine. This tool never does.

  • 01

    Nothing leaves your browser

    Decoding runs in pure client-side JavaScript. Your token is never uploaded, logged, or stored — close the tab and it's gone.

  • 02

    Decode, not verify

    We split and base64url-decode the token without any secret or public key. You see exactly what the token claims, with no signature step to fail on.

  • 03

    Human-readable expiry

    Epoch seconds are unreadable at a glance. We render iat, nbf, exp, and auth_time as UTC strings and mark a past exp as expired.

  • 04

    Honest about malformed input

    A token that isn't three dot-separated parts, or whose segments aren't valid base64url JSON, returns a clear message instead of a crash or garbage.

"A JWT is just base64url JSON with a signature stapled on — you should be able to read yours without handing it to a stranger's server."
Why we built the decoder
03 · FAQ

jwt decoder questions.

Does this verify the token's signature?
No. This is a decoder, not a verifier. It reveals the header and payload without checking the signature, so it needs no secret or public key. Never trust a decoded token as authentic — signature verification must happen on your server with the real key.
No. The entire decode happens in your browser with built-in JavaScript. Your JWT is never transmitted to any server, never logged, and never stored. You can confirm this by decoding with your network disconnected.
JWT time claims are stored as Unix epoch seconds, which are hard to read. We show the raw number and a readable UTC timestamp side by side, so you can see both the literal value and what it means.
When the payload contains an exp (expiration) claim whose time is in the past relative to your current clock, the report flags the token as expired and appends a note to the status line. A token without an exp claim is never marked expired.
A valid JWT is exactly three base64url segments joined by dots, where the first two decode to JSON. If you see an error, check for missing parts, extra whitespace, a truncated copy, or a token that was URL-encoded or wrapped in quotes.
Related tools
JSON Formatter
Pretty-print and indent the decoded payload, or any JSON, with one click.
Open →
JSON Validator
Check that a payload or config is valid JSON and pinpoint the first syntax error.
Open →
CSV to JSON
Turn a CSV export into structured JSON arrays and objects in your browser.
Open →
All Tools
Browse the full toolkit of client-side CSV, JSON, and developer utilities.
Open →