Skip to content
1001 Tools
sr
Developer tools

JWT Decoder

Paste a JSON Web Token and instantly read what’s inside: the header, the payload, and the standard time claims shown as dates with an at-a-glance expiry status. Decoding happens entirely in your browser — the token, which often grants access to an account, never leaves your device.

Decoding only — the signature is not verified. A JWT payload is not encrypted, so treat it as readable; verify authenticity on your server with the signing key.

How it works

A JWT is three base64url-encoded parts joined by dots: header, payload and signature. The tool splits on the dots, base64url-decodes the first two parts and parses them as JSON, then reads the standard time claims — iat (issued at), exp (expires) and nbf (not before) — and renders them as local dates.

It does not verify the signature. Checking that a token is authentic requires the server’s secret or public key, which should never be pasted into a web page — so this tool only reads the claims. A decoded token tells you what it says, not whether it’s genuine or untampered.

Practical examples

Checking why a login “expired”

Paste the access token from your app and read the exp date. If it’s in the past, the badge shows Expired — explaining the 401 you’re getting without digging through code.

Inspecting a token’s claims

See exactly which scopes, roles or user id a token carries in its payload, formatted as readable JSON — handy when an API returns “forbidden” and you suspect a missing claim.

Confirming the signing algorithm

The header shows the alg field, e.g. HS256 or RS256. Decode a token to verify a service is issuing it with the algorithm you expect, not “none”.

Frequently asked questions

Does this verify the token’s signature?

No. It only decodes and displays the header and payload. Verifying the signature proves a token is authentic and untampered, but that requires the secret or public key — which you should never paste into a website. Verify on your server instead.

Is my token sent to a server?

No. Decoding runs entirely in your browser. Because tokens frequently grant access to accounts or APIs, that’s important — you can even disconnect from the internet after the page loads and it still works.

Is the payload of a JWT encrypted?

No. A standard JWT is signed, not encrypted — its payload is only base64url-encoded, so anyone with the token can read it. Never put secrets in a JWT payload, and treat a decoded payload as public information.

What do iat, exp and nbf mean?

“iat” is when the token was issued, “exp” is when it stops being valid, and “nbf” (not before) is the earliest time it may be used. All are Unix timestamps in seconds; the tool converts them to readable dates.

Why does it say expired when the server still accepts it?

Servers often allow a small clock-skew tolerance, and the exp is compared against your device’s clock here. If your clock is off, the status can differ slightly from the server’s view. The exp value itself is authoritative.

What does the “alg” in the header tell me?

It’s the algorithm used to sign the token, such as HS256 (shared secret) or RS256 (public/private key). If it ever reads “none”, the token is unsigned — a red flag, since it can be forged trivially.

Why won’t my token decode?

A JWT must have exactly three dot-separated parts, each valid base64url, with the first two being JSON. Common causes of failure are a copied fragment, extra whitespace inside the token, or pasting something that isn’t a JWT at all.

Does it handle non-ASCII characters in claims?

Yes. Payloads are decoded as UTF-8, so names or values with accented letters — like Đorđević — display correctly rather than as garbled bytes.

Can I decode an encrypted JWE token?

No. This tool reads signed JWTs (JWS). Encrypted tokens (JWE) require a decryption key and a different process; there’s nothing readable to show without it.

Related tools