JWT Decoder
Decode and inspect JSON Web Tokens — header, payload claims, and expiry status.
Deep Dive
Decode and inspect the header and payload sections of any JSON Web Token (JWT) without needing a secret key. This tool parses the Base64URL-encoded parts and displays the JSON contents in a readable format. Note: this tool does not verify the signature — it only reads the claims.
Who uses this?
- Inspecting token claims during API development and debugging
- Checking whether a JWT has expired
- Reading user roles and permissions embedded in a token
- Teaching JWT structure in a workshop or tutorial
Examples
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.<payload>.<sig>Output
{ "alg": "HS256", "typ": "JWT" }Common Errors & Fixes
'Invalid JWT' with a token that looks correct
Remove any surrounding quotes or whitespace. Some tools wrap JWTs in quotes when copying.
Payload shows garbled characters
The JWT may use a non-standard encoding. Ensure the token is a proper Base64URL string without standard Base64 `+` or `/` characters.
`exp` claim shows a date in the past
The token has expired. Your application or server needs to issue a fresh token.
Expert FAQ
Does this verify the JWT signature?
No. Signature verification requires the secret or public key held by the issuing server. This tool only decodes the readable parts of the token.
Is it safe to paste a production JWT here?
Decoding happens entirely in your browser — nothing is sent to a server. That said, treat JWTs like passwords; avoid pasting tokens with sensitive permissions into any third-party site.
Why does the payload show an `exp` timestamp?
`exp` is a Unix timestamp (seconds since 1970-01-01 UTC). The tool converts it to a human-readable date for convenience.
I see 'Invalid JWT format' — why?
A valid JWT must consist of exactly three Base64URL parts separated by dots. Ensure you copied the complete token without extra spaces or line breaks.