Developer Tool

JWT Decoder

Paste a JSON Web Token to decode and inspect its header, payload, claims, and expiration — all processed locally in your browser.

100% local

Status

Token

Decoded

Paste a JWT token to decode it

How it works

JWT Decoder in 3 steps

Paste your token
Copy a JWT from your API response, authorization header, or cookie and paste it into the input field.
Inspect the payload
The header and payload are decoded and displayed as formatted JSON. Time-based claims (exp, iat, nbf) are converted to readable dates.
Check expiration
The tool automatically shows whether the token is active or expired based on the exp claim, with a clear visual indicator.

Practical guides

Get the most out of JWT decoding

How it works

JSON Web Tokens (JWT) are the standard format for transmitting authentication and authorization data in modern web applications. They are used in OAuth 2.0, OpenID Connect, and API authentication.

A JWT contains three Base64-encoded parts separated by dots: the header (algorithm), the payload (claims), and the signature. This tool decodes the first two parts so you can inspect the token contents.

Quick & easy

Privacy & security

This JWT decoder runs entirely in your browser. No token data is ever transmitted to any server — the decoding happens locally using JavaScript.

No data is sent to any server — all processing happens locally in your browser for maximum privacy.

100% browser-based

Frequently asked questions

JWT Decoder — FAQ

Everything you need to know about decoding JSON Web Tokens

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: a header (algorithm and type), a payload (claims/data), and a signature.

Yes. This tool runs entirely in your browser — no token data is ever sent to a server. The decoding happens locally using JavaScript. However, never share your tokens publicly as they may contain sensitive information.

This tool decodes and displays the token contents but does not verify signatures. Signature verification requires the secret key or public key used to sign the token, which should never be shared in a browser tool.

Claims are statements about the user or token metadata stored in the payload. Standard claims include 'iss' (issuer), 'sub' (subject), 'exp' (expiration), 'iat' (issued at), and 'aud' (audience). Custom claims can store any data.

The payload's 'exp' claim contains the expiration time as a Unix timestamp. This tool automatically converts it to a human-readable date and shows whether the token is still active or has expired.

JWS (JSON Web Signature) tokens are signed but not encrypted — the payload is Base64-encoded and readable. JWE (JSON Web Encryption) tokens are encrypted, hiding the payload contents. Most JWTs you encounter are JWS tokens.

JWT Decoder

JWT Decoder in 3 steps

Paste your token

Inspect the payload

Check expiration

Get the most out of JWT decoding

How it works

Privacy & security

JWT Decoder — FAQ

What is a JWT?

Is it safe to paste my JWT here?

Can this tool verify JWT signatures?

What are JWT claims?

How do I check if a JWT is expired?

What is the difference between JWS and JWE?

JWT Decoder

JWT Decoder in 3 steps

Paste your token

Inspect the payload

Check expiration

Get the most out of JWT decoding

How it works

Privacy & security

JWT Decoder — FAQ

What is a JWT?

Is it safe to paste my JWT here?

Can this tool verify JWT signatures?

What are JWT claims?

How do I check if a JWT is expired?

What is the difference between JWS and JWE?