JWT Decoder
Inspect a token's header and payload and check its expiry.
About JWT Decoder
A JWT has three dot-separated parts: header, payload and signature. The first two are only Base64, so anyone can read them — this tool does exactly that and turns claims like the expiry timestamp into a readable date.
How to use JWT Decoder
- 1
Paste the full token into the box.
- 2
Header and payload are decoded and formatted instantly.
- 3
Issued-at and expiry times are converted to readable dates with a validity status.
- 4
Inspect your application-specific claims in the same payload output.
Frequently asked questions
Does this verify the signature?
No, and no browser tool can. Signature verification needs the server secret, which must never reach a browser. This tool only reads the payload.
Then how is a JWT secure if everyone can read it?
JWT security comes from the signature, not secrecy: anyone can read it, but nobody can alter it without the key. That is why you must never put sensitive data in the payload.
Is pasting a real token here risky?
This page runs entirely in your browser and the token is never sent anywhere. Even so, it is good practice never to paste production tokens into any online tool.