JWT Decoder

Decode and inspect JSON Web Tokens (header, payload, expiry)

How it works

JWT Decoder — Decode and inspect JSON Web Tokens (header, payload, expiry). All processing happens in your browser — no upload, no signup, no email required. Free forever.

Last updated: 2026-05-06

Editor's note

We do not verify the signature on purpose, and we want to be loud about why. Several popular JWT debuggers will happily fetch your JWKS URL to "verify" the token for you — which means the issuer's discovery endpoint, and sometimes a token-derived identifier, ends up in a third-party server log you do not control. For a tool that lives in a tab next to your production auth flow, that is a quiet data-leak surface most people never think about. Decoding is local and stops there.

If you actually need verification, do it in the backend that already holds the signing key, not in a free web tool. Our screen pretty-prints the header and payload, converts iat, nbf and exp into your local timezone, and tells you when the token expired — that is the 90% of debugging that gets you back to writing code. The remaining 10% (cryptographic verification) belongs on a server, behind your own logs, not pasted into someone else's textarea.

About JWT Decoder

A JSON Web Token looks like an opaque string of dots and base64, but inside it is a perfectly readable JSON header and payload — plus a signature that proves the issuer minted it. This JWT decoder splits the three segments, base64url-decodes them, pretty-prints the JSON, and converts the standard time claims (iat, nbf, exp) into your local timezone so you can immediately see whether a token is expired, when it was issued and who it was issued for.

Decoding is exactly what backend developers do dozens of times a week: a 401 came back from an API, you copy the bearer token, you want to see the "sub", "aud", "scope" and "exp" without firing up Node or Python. Doing that in a random online tool is risky because tokens often carry email addresses, internal user ids, role claims and tenant identifiers — exactly the data you do not want a third party to log.

Everything in this decoder happens client-side in your browser. The token never leaves your device, is not sent to any server, is not stored in localStorage, and disappears when you close the tab. The signature is intentionally not verified — that requires the issuer's secret or public key, which we never ask for. Use your backend or a JWT library when you need cryptographic validation.

How to use JWT Decoder

Paste the JWT (the long "xxx.yyy.zzz" string) into the input box.
Read the decoded Header to see the algorithm (alg) and key id (kid) the issuer used.
Inspect the Payload for claims like sub, aud, iss, scope, and any custom fields your service injected.
Check the timestamp section — "Expires", "Issued at" and "Not before" are converted to your local timezone.
Look at the "Valid" / "Expired" badge for an at-a-glance check, then copy individual claims as needed.
Remember the signature is shown but not verified — for cryptographic validation, hand the token to your backend.

Common use cases

Debugging "401 Unauthorized" responses by checking whether the bearer token has actually expired.
Inspecting an OAuth2 or OIDC access token to confirm scopes, audience and issuer match what the API expects.
Reading custom claims (tenant id, role, feature flags) added by your auth provider during login.
Confirming clock-skew issues when "nbf" (not before) fires a few seconds in the future relative to the server.
Sharing a redacted view of a token with a teammate without copy-pasting it into Slack or a public site.

Tips & common mistakes

If decoding fails, check that you copied the full token including both dots — many UIs truncate at the first space or hide the trailing signature.
A decoded payload proves nothing about authenticity. Anyone can craft a valid-looking JWT; only signature verification with the issuer's key tells you it is genuine.
Treat JWTs like passwords when sharing screenshots — even "expired" tokens can leak user ids, email addresses and internal scope names.
If "alg" is "none" in the header, the token has no signature at all and your service must reject it. This decoder will still show the payload so you can confirm the bug.

Frequently asked questions

Is the token sent to your servers?

No. Decoding happens entirely in your browser using JavaScript — the token never leaves your device.

Does this verify the signature?

No. This tool only decodes header and payload. Signature verification requires the secret/public key, which we never request — please use your backend or a JWT library for that.

Why are dates shown in my local timezone?

Standard JWT claims like exp, iat, and nbf are Unix timestamps (UTC). We render them in your browser's local timezone for readability.

Will this tool ever send my token to a server?

No. Decoding is plain JavaScript that runs in your browser tab. There is no fetch, no telemetry, and no logging. Open DevTools → Network and you will see zero requests when you paste a token.

Can it decode encrypted JWE tokens too?

No. JWE (encrypted JWTs) need the recipient's private key to be readable. This tool only handles JWS (signed JWTs), which is what the vast majority of OAuth2 and OIDC flows actually issue.

Why does the payload show numeric timestamps and a human date?

Standard claims (exp, iat, nbf) are stored as Unix seconds in UTC. We display the raw number plus a converted local-timezone date so you can spot expiry issues without doing math.