JWT Decoder — Decode JSON Web Tokens Instantly

Paste any JWT token to decode its header, payload, and signature. View claims, expiry time, and issued-at time in human-readable format. 100% browser-based, nothing sent to any server.

Warning: This tool decodes JWT tokens but does NOT verify the signature. Never paste tokens containing sensitive production credentials into any online tool.

Frequently Asked Questions

A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and information exchange. It has three parts separated by dots: header (algorithm and token type), payload (claims like user ID, expiry, roles), and signature (to verify the token wasn't tampered with). JWTs are widely used in modern web APIs and single sign-on systems.
The header and payload of a JWT are Base64url-encoded (not encrypted), so anyone can decode them without the secret key. Only the signature verification requires the secret. This tool decodes the header and payload using the browser's atob() function. It does NOT verify the signature — it only shows the contents.
The payload contains claims — statements about the entity (typically the user) and additional data. Common claims include "sub" (subject/user ID), "iss" (issuer), "exp" (expiration time), "iat" (issued at), "name" (user name), and "roles" (user permissions). Custom claims can also be added by the application.
Decode the JWT and look for the "exp" claim in the payload. This is a Unix timestamp (seconds since January 1, 1970). This tool automatically converts it to a human-readable date and time. If the expiry is in the past, the token has expired and a new one must be obtained.

Related Tools

Last updated: June 2026