JWT Decoder
Runs in browserDecode JWT header and payload claims locally in the browser.
Decode JSON Web Tokens in the browser. View header and payload as JSON. No signature verification—use for inspection and debugging only.
JWT Decoder tool
Expiry: Expired
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "Alice Johnson",
"iat": 1700000000,
"exp": 1700003600
}This tool does not verify the signature. Use it only to inspect claims and headers.
🔒 Runs in your browser · No uploads · Your data never leaves your device
How to use
Paste your JWT
Paste a full JWT (header.payload.signature) into the text area. It will be decoded automatically.
Read header and payload
The decoded header and payload are shown as formatted JSON. You can expand claims like exp, iat, or sub.
Copy JSON
Use the Copy button next to each section to copy the header or payload JSON.
Common use cases
- Debugging authentication issues — Paste a JWT from an Authorization header to inspect claims like sub, exp, and iat and verify the token is well-formed.
- Checking token expiry — Decode the exp claim to see when a token expires without writing any code.
- Verifying token structure during development — Confirm that your auth server is including the expected custom claims in tokens during local development.
- Auditing third-party tokens — Inspect tokens from external OAuth providers to understand what scopes and metadata they contain.
Examples
Sample JWT
A typical JWT has three Base64URL segments. Only the first two (header and payload) are decoded here.
InputeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.x
Frequently asked questions
- Does this verify the JWT signature?
- No. This tool only decodes the header and payload. It does not verify the signature. Do not use it to make security decisions; use your backend or a proper JWT library for verification.
- Is my token sent to a server?
- No. Decoding happens entirely in your browser. The token never leaves your device.
Key concepts
- JWT
- JSON Web Token — a compact, URL-safe token format consisting of three Base64URL-encoded parts: header, payload, and signature.
- Claim
- A key-value pair in the JWT payload, such as sub (subject), exp (expiry), or iat (issued at).
- exp
- The expiration time claim — a Unix timestamp after which the token should be considered invalid.
- Base64URL
- A variant of Base64 that uses - and _ instead of + and / and omits padding, making it safe for use in URLs.
Related tools
You might find these useful too.
- Base64 Encode / Decode
Encode and decode Base64 text privately in the browser.
Open - JWT Expiration Checker
Check JWT expiry status with exp, iat, and nbf claim details.
Open - JWK Generator
Generate JWK / JWKS keys for RS256, ES256, HS256. Browser-based, private.
Open - JWT Generator
Create and sign JWT tokens locally with HS256 in the browser.
Open