Paste a JSON Web Token below and click Decode to see its header, payload, and standard claims — including human-readable dates for exp, iat, and nbf, and a clear expired/valid status. Everything runs in your browser; nothing is uploaded.
Note: this tool decodes the token so you can read it — it does not verify the signature. Verification requires the secret or public key. Also, even though nothing leaves your browser, avoid pasting live production tokens that grant real access or contain sensitive user data.
JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps and APIs. When a login flow misbehaves, the fastest way to debug it is usually to look inside the token itself: which algorithm signed it, who issued it, which user it belongs to, and — most often — whether it has expired. This free JWT Decoder does exactly that. Paste any token and it instantly splits it into its three parts, base64url-decodes the header and payload, pretty-prints both as JSON, and lays out the standard claims in a readable table with human-friendly UTC dates.
The entire tool runs client-side in your browser. There is no API call, no upload, and no storage — the decoding is plain JavaScript operating on the text in the box. That said, treat tokens like passwords: if a token is live and grants access to a production system, prefer decoding a test or expired token instead.
A JWT is three base64url-encoded segments joined by dots: header.payload.signature.
alg (the signing algorithm, e.g. HS256 or RS256) and typ (usually JWT).iss, sub, aud, exp, iat, nbf, and jti, plus any custom claims your app adds (roles, email, tenant id, and so on).All three are unix timestamps in seconds, not milliseconds — a classic source of bugs when JavaScript's Date.now() (milliseconds) is compared against them directly. If you need to convert timestamps by hand, our Unix Timestamp Converter handles both units.
The most important thing to understand about JWTs: the header and payload are encoded, not encrypted. Base64url is a reversible text encoding — anyone who obtains a token can read every claim inside it, no secret required. What the secret (or private key) protects is the signature, which lets your server confirm the token is genuine and unmodified. Practical consequences:
alg: none or an algorithm your server does not expect — algorithm-confusion attacks rely on servers being too permissive.exp; an expired token is the most common culprit.aud and iss against your API's configured values.nbf and iat against server time.Working with base64 directly? Try the Base64 Encoder/Decoder, or hash data with the Hash Generator. To go deeper on tokens, read JWT Authentication Explained for Beginners, How to Decode JWT Tokens with Base64 in JavaScript, and JWT vs Session Authentication.