Tool 05

JWT Decoder

Decode and inspect JSON Web Tokens — header, payload claims, expiry status, and timestamps.

JWT

Decode JSON Web Token

Client-side only. The signature is displayed but not verified.

Ready

JWT Token

Paste a JWT with three Base64URL segments separated by dots.

Paste a JWT token and click Decode.

Help

How to Use the JWT Decoder

Paste a JWT token

A valid JWT has exactly three Base64URL segments separated by dots: header.payload.signature. Paste the full token string into the input area.

Decode and inspect

Click Decode to parse the token. The header, payload, and raw signature are shown in separate sections. All three parts are decoded client-side — nothing is sent to any server.

Read the claims

The payload section lists every claim. Timestamp fields — iat (issued at), exp (expires), nbf (not before), auth_time — are automatically displayed as human-readable UTC dates.

Check expiry status

If an exp claim is present, the tool shows whether the token is still valid or expired, with the exact time remaining or elapsed.

Signature is not verified. Anyone can forge a token with any payload — never trust JWT claims without server-side verification using the correct secret or public key.

HeaderContains alg (signing algorithm, e.g. HS256, RS256) and typ (token type, usually JWT).

PayloadContains claims — registered (sub, iss, aud, exp) and custom application claims.

SignatureThe raw Base64URL signature segment. Displayed as-is — verification requires the secret or public key and must be done server-side.

Timestampsiat = issued at · exp = expires · nbf = not valid before. All shown as Unix seconds and UTC date.