JWT Decoder

What this tool does

A JSON Web Token packs three parts into one compact string: a header, a payload, and a signature, joined by dots. This tool splits the token on those dots, base64url-decodes the header and payload, pretty-prints each as formatted JSON, and shows the signature exactly as supplied. It also reads the standard time claims — iat, nbf, and exp — and converts them from raw Unix timestamps into readable UTC times with a relative phrase like “in 2 hours” or “3 days ago”. If the exp claim is in the past, the token is clearly flagged as expired.

Why you might need it

JWTs are everywhere in modern authentication: login sessions, API access tokens, OAuth flows, and service-to-service calls. When something goes wrong — a request is rejected, a user is logged out early, a permission is missing — the first question is usually “what is actually inside this token?” Decoding it by hand means manually fixing base64url padding and parsing JSON, which is slow and easy to get wrong. This tool does it instantly so you can read the claims, check the expiry, and confirm which algorithm and key the header references.

How to use it

1. Paste the full token into the input box, or click Load sample to try one.
2. The header and payload appear immediately as formatted JSON in their panels.
3. Check the Time claims section for readable issue, not-before, and expiry times.
4. If the token has expired, a red banner says so.
5. Use the copy button above the header or payload to grab that JSON.

Common pitfalls

The single most important thing to understand is that decoding is not verifying. A JWT’s payload is only base64url-encoded — anyone can read it, and anyone can craft a token with any payload they like. The signature is what proves the token came from a trusted issuer and was not tampered with, and verifying it requires the secret or public key. This tool intentionally never asks for a key, so it cannot and does not verify anything. Always verify on the server before trusting a token.

A second pitfall is treating a JWT as private. Because the payload is readable, you should never store passwords, full credit card numbers, or other secrets in it. If you see sensitive data in a decoded payload, that is a design problem worth fixing.

Finally, copy errors are common. Tokens are long, and a stray space, a line break, or a missing segment will make decoding fail. If you get a malformed error, re-copy the entire token from its source.

Tips and advanced use

Use the time claims to debug session problems quickly. If users are being logged out sooner than expected, compare iat and exp to see the token’s real lifetime. If a token is being rejected as “not yet valid”, check nbf against the current time — clock skew between servers is a frequent cause.

The header’s alg field tells you the signing algorithm, and an alg of none is a red flag worth investigating. Because every step here runs locally in your browser, it is genuinely safe to paste production tokens to inspect a live incident — nothing about the token ever leaves your device.