Paste a JWT to instantly see its decoded header, payload, and expiration status.
This free online tool decodes a JSON Web Token (JWT) and shows
its header, payload, and expiration status in plain, readable JSON — no library, backend, or
account required. Paste a token from an Authorization: Bearer header, a session
cookie, or an API response, and see exactly what claims it carries.
exp, iat, and nbf are converted to human-readable dates automatically.exp claim has already passed.This tool decodes the header and payload segments only; it does not verify the signature. A JWT's signature can only be verified with the issuer's secret or public key, and doing that safely requires knowing exactly which service issued the token — this tool is for quickly inspecting claims during development and debugging, not for authenticating a token in production.
Decoding happens entirely in your browser using JavaScript. Your token is never uploaded to a server — which matters, since a JWT's payload is only base64-encoded, not encrypted, and often contains user identifiers or other data you don't want to send to a third party.
A JWT is three base64url-encoded segments separated by dots: a header, a payload, and a signature. Here's what this tool does with each part.
The first segment is base64url-decoded and parsed as JSON, revealing the signing algorithm (alg) and token type (typ), shown as badges above the output panels.
The second segment holds the token's claims — the actual data, such as a user ID, roles, or an expiration time. It's decoded and pretty-printed just like the header.
If the payload includes an exp claim (a Unix timestamp), this tool compares it against the current time and flags the token as expired or still valid.
Base64url segments are decoded byte-by-byte and converted with a proper UTF-8 decoder, so claims containing non-ASCII characters (names, addresses, emoji) render correctly instead of as garbled text.
Quickly inspect the claims inside an access or ID token returned by an auth service (Auth0, Firebase, Cognito, custom OAuth servers) while debugging an integration.
Check what's actually inside a token stored in localStorage or a cookie — confirm the expected claims and expiration are present before wiring up API calls.
Verify that a token issued during a test run contains the expected roles, audience, and expiration — without writing a throwaway decoding script.
See exactly how a JWT is structured while learning about token-based authentication, alongside the JWT explainer article.
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties — commonly used for authentication and authorization. It consists of a header, payload, and signature, each base64url-encoded and joined with dots.
No. This tool only decodes the header and payload so you can read the claims. Verifying a signature requires the issuer's secret (HS256) or public key (RS256/ES256), which this tool intentionally does not ask for.
No — a standard JWT's header and payload are only base64url-encoded, not encrypted. Anyone who has the token can decode and read its contents, which is exactly what this tool demonstrates. Never put secrets in a JWT payload.
The tool compares the payload's exp claim (a Unix timestamp in seconds) against the current time. If exp is in the past, the token is flagged as expired — this is a client-side check only and doesn't affect the real token.
No. All decoding happens locally in your browser with JavaScript. Nothing is sent to a server, which matters since JWT payloads often contain user identifiers or other data you don't want to expose to a third party.
A valid JWT always has exactly three segments — header, payload, and signature — separated by two dots. If your input has a different number of parts, it isn't a complete JWT (it may be truncated, or it might not be a JWT at all).
Built by Deepak Kumar — a developer who wanted a JSON tool that respects your privacy. All processing happens in your browser. Your data never leaves your device.