A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are widely used for authentication, authorization, and information exchange in web applications and APIs. Each token has three Base64URL-encoded parts: a header, a payload, and a signature.
iat, exp, and nbf fields are shown as human-readable dates.Decode and inspect JWT tokens in three steps.
Enter the full JSON Web Token (all three dot-separated segments). The tool accepts tokens from auth headers, cookies, or local storage.
Hit Decode to split the token into its header, payload, and signature. Each section is parsed and displayed as formatted JSON.
The decoder highlights the exp and iat timestamps and shows whether the token is currently valid, expired, or not yet active.
When a user reports a 401 error, paste their JWT to check if the token is expired, issued for the wrong audience (aud), or missing required scopes.
Inspect the sub, role, permissions, and custom claims in a token to confirm that your auth server is issuing the correct payload after a configuration change.
Decode tokens from OAuth providers like Google, GitHub, or Auth0 to understand what user data and scopes they include before integrating them into your app.
Decode JWTs from staging and production to verify that issuer (iss), audience (aud), and expiration settings match your expected configuration.
Paste your JWT (JSON Web Token) into the input field and click Decode. The tool instantly splits the token into its three parts — header, payload, and signature — and displays each section with formatted JSON. No server call is made.
A JWT is a compact, URL-safe token format used for authentication and data exchange. It consists of three Base64-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, expiration), and a signature (for verification).
Yes. This decoder runs entirely in your browser — your token is never sent to any server. However, remember that JWTs are not encrypted (just Base64-encoded), so anyone with the token can read the payload. Never share JWTs publicly.
This tool decodes and displays the JWT contents but does not verify the cryptographic signature, since verification requires the secret key or public key that only your server has. Use this tool to inspect token structure, claims, and expiration — not for security validation.
After decoding, look for the 'exp' (expiration) claim in the payload. This tool automatically converts the Unix timestamp to a human-readable date and shows whether the token is currently expired, making it easy to debug authentication issues.
Standard claims include 'iss' (issuer), 'sub' (subject/user ID), 'aud' (audience), 'exp' (expiration time), 'iat' (issued at), and 'nbf' (not before). Custom claims can include any application-specific data like roles, permissions, or user details.