Decode JWT header and payload directly in your browser. Inspect claims, review token structure, and check common timing fields such as exp, iat, and nbf.
JWT decoder
Decode JWT header and payload locally in your browser, inspect common claims, and review token timing fields.
Decoding happens locally in your browser. This tool does not verify token signatures.
Token summary
Analyze a token to see format and claim summary.
Decoded header
Decoded payload
Signature segment (raw)
Claim timing
No claim timing data yet.
How to use the JWT decoder
Paste a JWT into the input field and click Analyze token. The tool splits the token into its three parts, decodes the header and payload, and displays them in readable JSON format.
You can use it to inspect common claims such as issuer, subject, audience, expiration time, issued-at time, and not-before time. This makes it useful for debugging authentication flows, API integrations, and token-based sessions.
All decoding happens locally in your browser. The tool does not verify JWT signatures in this version, so it should be used for inspection and troubleshooting, not cryptographic trust validation.
Frequently asked questions
A JWT (JSON Web Token) is a compact, URL-safe token used to transfer structured information between systems.
It usually contains three parts separated by dots:
- Header — metadata such as algorithm and token type
- Payload — claims like user ID, issuer, audience, and expiration
- Signature — used to verify integrity and authenticity
JWTs are commonly used in authentication, API authorization, SSO, and modern web applications.
This tool decodes the JWT header and payload and displays them in a human-readable JSON format.
- Shows token structure
- Displays header and payload claims
- Shows the raw signature segment
- Checks common timing claims like
exp,iat, andnbf
It is designed for inspection, debugging, and troubleshooting.
No. This version does not verify JWT signatures.
It decodes the token contents and checks common claim timing rules, but it does not confirm whether the token was actually signed with the correct secret or private key.
That means the tool is useful for understanding what is inside a token, but not for proving that the token is trustworthy.
No. All decoding happens locally in your browser.
The token is processed client-side, which makes this tool useful for quick inspection while keeping the workflow simple and private.
Still, avoid pasting sensitive production tokens unless necessary, especially on shared machines.
These are standard JWT timing claims:
exp— expiration time; after this point the token should no longer be acceptediat— issued at; when the token was creatednbf— not before; the token should not be accepted before this time
The decoder converts these Unix timestamps into readable date/time values and highlights whether a token is expired or not yet valid.
If the exp value is in the past compared to your current browser time, the token is marked as expired.
This usually means:
- the token lifetime has ended
- the token needs to be refreshed or reissued
- your local system time may be incorrect
If you are debugging auth issues, always check both token claims and system time.
Missing claims do not automatically make the token malformed.
For example, a token may not include:
expiatnbfaudiss
The decoder will still parse the token and simply show that the claim is not provided.
A token may fail to decode if:
- it does not contain exactly three parts
- the header or payload is not valid Base64URL
- the decoded header or payload is not valid JSON
- the token was copied incorrectly or includes extra characters
Make sure the JWT is pasted in one line and follows the standard header.payload.signature format.