🌐 EN

πŸ”“ JWT Decoder

Paste a JWT (JSON Web Token) to instantly base64url-decode its header and payload into pretty-printed JSON. The exp/iat/nbf claims are shown as human-readable times, with a badge indicating whether the token is expired.

⚠️ This tool only decodes β€” it does not verify the signature. There is deliberately no secret-key input field for security reasons. If you need signature verification, use a server-side JWT library.

GUIDE

Learn more

01

1. Understanding JWT structure

A JWT has three dot-separated parts: header.payload.signature. The header holds the signing algorithm (alg) and token type (typ); the payload holds the actual claims (user ID, permissions, issue time, etc.), all base64url-encoded. The signature is the header+payload signed with a secret (or private key), used to verify the token hasn't been tampered with β€” but this tool does not perform that verification.

02

2. The exp, iat and nbf claims

exp (expiration) is when the token expires, iat (issued at) is when it was issued, and nbf (not before) means the token isn't valid before that time. All three are stored as Unix timestamps (seconds), which aren't human-readable at a glance. This tool shows each as both local time and ISO 8601, and flags an "Expired" badge if exp is in the past.

03

3. When you need signature verification

Verifying a JWT signature requires the secret used to sign it (HMAC family, e.g. HS256) or the corresponding public key (RSA/ECDSA family, e.g. RS256/ES256). That's a sensitive operation that belongs server-side, so this browser tool only decodes (lets you inspect the content) and never asks for a secret. For real verification, use a backend JWT library (jsonwebtoken, PyJWT, firebase-admin, etc.).

Frequently asked questions

Can this tool be used to forge a JWT?
No. It only decodes (base64url-decodes) β€” it never generates or verifies a signature. A valid signature requires the secret/private key known only to the issuer, and this tool never accepts one.
Why is there no secret key input field?
For security. Pasting secrets into browser tools is a habit that risks accidental exposure, so this tool was designed to never accept one in the first place.
How can I tell if a token is expired?
If the payload has an exp claim, it's automatically compared to the current time and shown as an "Expired" or "Valid (not yet expired)" badge.
Is the token I paste sent to a server?
No. Decoding happens entirely in your browser's JavaScript and is never sent to a server.