Security Tool

JWT Decoder & Inspector

Decode, inspect, and analyze any JSON Web Token instantly. See the header, payload, and all standard claims with human-readable timestamps and live expiry status — 100% in your browser.

Decode JWT Token
JWT Token paste the full token — header.payload.signature
Token Structure color-coded parts

How to Use

1
Paste your JWT — the full token including all three dot-separated parts: header, payload, and signature.
2
Click Decode — the tool splits and decodes each part, color-codes the structure, and displays a claims table below.
3
Read the claims table — standard claims like exp, iat, and nbf are converted to readable dates with live expiry status.
4
Check the expiry bar — see how much of the token’s lifetime has been used at a glance. You can also press Ctrl+Enter to decode.

Why Use This Tool

JWTs appear in API authorization headers, OAuth flows, and session cookies. Quickly inspecting them without an external service or heavy client saves time and keeps credentials safe.

🔒

100% Private

Decoding runs locally in your browser. Your token is never sent to any server.

⏱️

Live Expiry Status

Know instantly whether the token is valid, expired, or not yet active based on exp and nbf.

🎨

Color-coded Parts

Header, payload, and signature are visually separated so the structure is obvious at a glance.

📅

Human-readable Dates

Unix timestamps in iat, exp, and nbf are converted to local date/time automatically.

What Is a JSON Web Token?

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header specifying the algorithm, a payload containing claims, and a signature used to verify authenticity.

JWTs are widely used for authentication and authorization — for example, an API server issues a JWT after login, and the client sends it with every request in the Authorization: Bearer header. The server validates the signature and reads the claims to decide whether access is allowed.

This tool decodes the header and payload, which are only encoded, not encrypted. The signature can only be verified if you know the secret key — that verification must happen server-side.

Frequently Asked Questions

Yes. All processing happens in your browser using JavaScript. The token is never sent to any server. That said, avoid pasting production tokens with sensitive payloads on shared machines.
No. Signature verification requires the secret key or public key, which should never be exposed to the browser. This tool decodes and displays the header and payload only. Signature validation must happen server-side.
If the nbf (not before) claim is set to a future timestamp, the token is technically valid but must not be accepted by the server before that time. This tool shows this state clearly as “Future / Not Yet Active”.
iat (Issued At) is the Unix timestamp when the token was created. exp (Expiration Time) is when it expires. The difference between them is the total lifetime of the token. If exp is in the past, the token is no longer valid.
No. This tool handles standard signed JWTs (JWS). Encrypted JWTs (JWE) have a different structure and require the private key to decrypt. If your token has five dot-separated parts, it is a JWE and cannot be decoded here.

Related Tools

🔡

Base64 Decoder

Decode any Base64-encoded string instantly.
{ }

JSON Formatter

Prettify, minify, and validate JSON data.
🔗

URL Parser

Break down and analyze any URL structure.
🔐

Hash Generator

Generate MD5, SHA-1, SHA-256 hashes.