JWT Decoder
Paste a JWT to decode its header and payload, view registered claims with labels, check expiration status, and see timestamps as human-readable dates. 100% client-side — your tokens never leave the browser.
How It Works
Paste your JWT
Paste a JSON Web Token into the input field. The token is decoded instantly as you type.
Inspect header and payload
View the decoded header and payload as formatted JSON. Registered claims are labeled, and timestamps are shown as readable dates.
Check token status
See at a glance whether the token is valid, expired, or not yet valid based on its exp and nbf claims.
Frequently Asked Questions
What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.
Is my token sent to a server?
No. All decoding happens entirely in your browser using JavaScript. Your token never leaves your device — it is safe to paste production tokens here.
Can this tool verify JWT signatures?
Yes, for HMAC-signed tokens (HS256, HS384, HS512). Enter the secret key in the signature section and click Verify. The verification uses the Web Crypto API and runs entirely in your browser — the secret key is never sent to any server. RSA and ECDSA signatures are not currently supported.
What do the timestamp claims mean?
Common timestamp claims include: exp (Expiration Time) — when the token expires; iat (Issued At) — when the token was created; nbf (Not Before) — the earliest time the token is valid. All are Unix timestamps in seconds.
Why does my token show as expired?
The tool compares the exp claim against your browser's current time. If the current time is past the expiration, the token is marked as expired. Check that your system clock is accurate.