JWT Decoder
Header, payload, and expiry. No verify, nothing sent.
Blog

JWT decoder, see inside.

Header, payload, and signature at a glance with exp/iat auto-converted. ⚠️ Decode only — signature is NOT verified (needs the secret).

Input
Output
Output appears here.

Read a JWT without sending it anywhere

A JSON Web Token has three Base64URL parts joined by dots: header, payload, and signature. This tool decodes the first two into readable JSON and shows the signature as-is. Time claims like exp, iat, and nbf are converted from Unix epoch to ISO timestamps, and an expiry badge tells you at a glance whether the token is still valid.

Decode is not verify

Anyone can read a JWT — that is by design. Confirming it is authentic requires the signing secret or public key, which this tool never asks for and never has. Treat the decoded contents as untrusted until your server verifies the signature.

Stays in your browser

Decoding is local. Your token is not transmitted, logged, or stored, so it is safe to inspect production tokens here.

FAQ

Does this check if the token is valid?
No. It decodes and shows expiry from the exp claim, but it does not verify the cryptographic signature — that needs the secret/key on your backend.
Is it safe to paste a real access token?
The decoding never leaves your browser. Still, treat live tokens carefully and revoke any you have shared elsewhere.