— Encoders & generators

JWT Decoder

Paste a JSON Web Token to read its header and payload as formatted JSON, with expiry and timestamps decoded — all in your browser.

This tool only decodes a token so you can read it — it does not verify the signature. Never trust a decoded payload for authentication without verifying it on your server.
— What it does

The JWT Decoder is a free tool that splits a JSON Web Token into its three parts, base64url-decodes the header and payload, and pretty-prints each as JSON. It converts the standard exp, iat, and nbf timestamp claims into human-readable dates and flags whether the token has expired. It only decodes the token and does not verify the signature. Everything runs locally — your token is never uploaded.

  • Base64url-decodes the header and payload and pretty-prints each as JSON.
  • Converts exp, iat, and nbf claims to readable dates and flags expired tokens.
  • Shows the raw signature segment, clearly marked as not verified.
  • Runs entirely in your browser — your token is never uploaded to a server.

How to use it

1

Paste your JWT

Paste a token in the header.payload.signature format into the input box.

2

Read the decoded parts

The header and payload appear as formatted JSON, with timestamp claims translated to dates.

3

Check expiry and copy

See whether the token is expired and copy the decoded header or payload to your clipboard.

Frequently asked

Does this verify the JWT signature?
No. This tool only decodes the token so you can read its contents. It does not verify the signature, which would require the secret or public key. Never trust a decoded payload for authentication without verifying the signature on your server.
What do the exp, iat, and nbf claims mean?
These are standard JWT time claims expressed as Unix timestamps in seconds. exp is the expiration time, iat is when the token was issued, and nbf is the not-before time. The decoder converts each to a human-readable date and marks the token as expired when the current time is past exp.
Why does my token fail to decode?
A JWT must have three parts separated by dots, and the header and payload must be valid base64url-encoded JSON. If a part is missing, contains invalid base64url characters, or is not valid JSON, the decoder shows an error explaining what went wrong.
Is my token sent anywhere?
No. All decoding happens locally in your browser with JavaScript. Your token is never uploaded or stored, so it is safe to inspect tokens that contain sensitive claims.

Related tools

Base64 Encode / Decode

Convert text to and from Base64 — UTF-8 safe, with an optional URL-safe variant and instant copy, all in your browser.

Open tool →

Hash Generator (MD5, SHA-1, SHA-256)

Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text — instantly, as lowercase hex, in your browser.

Open tool →

Unix Timestamp Converter

Turn epoch seconds or milliseconds into a readable date — and any date back into a Unix timestamp — with UTC, local and ISO output.

Open tool →

← All free tools

— Built by saavos

These tools are free. So is the first version of your agent.

saavos is the AI agent that lives on your website — themed to match your design, answering visitors from your own content, and telling you what they actually want to know. Paste your URL and see it answer, before you install anything.

Make my site feel alive