Free · in your browser

JWT Decoder

Paste a JSON Web Token to instantly decode its header and payload, with human-readable expiry and issued-at times. Free, fast and private: your token never leaves your device.

Signature is not verified — this tool only decodes the token. Never trust a JWT without verifying its signature server-side.
Private by design — your token is decoded locally and never uploaded.

How to decode a JWT online

  1. Paste your JSON Web Token (the header.payload.signature string) into the box above.
  2. Click Decode token to base64url-decode and pretty-print the header and payload as JSON.
  3. Read the human-readable exp, iat and nbf times below, then use Copy payload to grab the claims.

Why use a JWT decoder?

JSON Web Tokens pack authentication claims into a compact, base64url-encoded string that is impossible to read at a glance. A JWT decoder unpacks the header and payload so you can inspect the algorithm, subject, scopes, issuer, and audience while debugging logins, API gateways, or OAuth flows. Crucially, decoding is not verification: anyone can read a JWT, so this parser deliberately skips the signature check and never asks for your secret. Because it runs entirely in your browser, even tokens carrying personal data or access scopes stay on your machine — nothing is uploaded, logged, or stored anywhere.

Frequently asked questions

Is this JWT decoder free and private?
Yes — it is 100% free with no sign-up, and completely private. Your token is split and base64url-decoded directly in your browser; nothing is ever uploaded to a server, so even tokens containing sensitive claims stay on your machine.
Does it verify the JWT signature?
No. This tool only decodes the header and payload so you can read the claims. It does not check the signature, because that requires your secret or public key. Never trust a token in production without verifying its signature server-side.
Can it read the expiry and issued-at times?
Yes. If your payload contains exp, iat or nbf, the decoder shows each as a human-readable date and time alongside the raw Unix timestamp, and flags whether the token has already expired.
Why am I getting a decode error?
A JWT must have three dot-separated parts (header.payload.signature) and each must be valid base64url that decodes to JSON. If you paste a truncated, malformed, or non-JWT string, you will see a friendly error explaining what went wrong.

Base64 Encoder & Decoder →   JSON Formatter & Validator →   All tools →