JWT Decoder

Decode and inspect a JWT instantly.

The JWT Decoder splits a JSON Web Token into its header and payload, pretty-prints the claims as readable JSON, and flags whether the token has expired — all decoded entirely in your browser, so the token is never sent to a server. That privacy matters: a JWT often carries session or identity data you shouldn't paste into a remote service. Free, instant, no sign-up.

How to use JWT Decoder

The JWT Decoder decodes a JSON Web Token into its header and payload, formats the claims as readable JSON, and tells you whether the token has expired. Everything happens in your browser — your token is never sent to a server.

1Paste your JWT (header.payload.signature).
2See the decoded header and payload as formatted JSON.
3Check the expiry status and standard claims.

Private

Decoding runs entirely on your device — tokens never leave the browser.

Expiry check

Instantly see whether the token is expired, with the exp date.

Readable JSON

Header and payload are pretty-printed for easy inspection.

Decode a JWT token online

Paste a token in header.payload.signature form and instantly see the decoded header and payload as formatted JSON. No sign-up, and because it runs in your browser the token is never uploaded.

Read a JWT payload and its claims

Inspect standard claims like sub, iss, aud and scope alongside your custom ones. Timestamp claims such as iat and exp are shown as readable dates, not raw numbers.

Check whether a JWT has expired

The decoder reads the exp claim and clearly flags whether the token is still valid or has expired, with the expiry date — a fast check while debugging authentication.

Debug auth without leaking the token

Unlike server-side decoders, decoding is 100% client-side, so a real production or session token is never logged or sent anywhere — the safe way to inspect a live token.

JWT Decoder — frequently asked questions

Is it safe to decode a JWT here?

Yes — the entire decode happens in your browser with JavaScript. Your token is never uploaded or logged.

Does this verify the JWT signature?

No. It decodes and displays the header and payload; verifying the signature requires the secret or public key, which this tool doesn't handle.

What do iat and exp mean?

iat is the issued-at time and exp is the expiry, both as Unix timestamps. The tool converts exp to a readable date and flags expired tokens.

What are the three parts of a JWT?

A JWT is header.payload.signature, three base64url sections joined by dots. The header names the algorithm, the payload holds the claims, and the signature is used to verify the token (this tool decodes the header and payload).

Is it free?

Yes, completely free with no sign-up.

Share this tool

Send it to someone who needs it or save the link for later.

X Facebook LinkedIn WhatsApp Reddit Pinterest Threads Bluesky Telegram Email

More developer tools

View all

Regex Tester

Build and test regular expressions live.

URL Encoder / Decoder

Percent-encode and decode URLs.

HTML Entity Encoder / Decoder

Encode and decode HTML entities.

JSON to CSV Converter

Turn a JSON array into CSV.

CSV to JSON Converter

Convert CSV into JSON objects.

Excel Viewer

Open & view XLSX files online.

All developer tools