Free JWT Decoder — Inspect JSON Web Tokens

Paste a JWT to see its header and payload, with timestamps translated to readable dates. Decoding happens locally — your token never leaves the browser.

Header

        
Payload

        

⚠️ The signature is not verified — decoding only proves what the token says, not that it's authentic. Verification requires the signing secret or public key on a server.

Frequently Asked Questions

Is it safe to paste a real token here?

Decoding runs entirely in your browser — the token is never transmitted or logged. That said, treat production tokens like passwords: prefer expired or development tokens when debugging, since anyone who obtains a live token can use it.

Why can I read a JWT without the secret key?

JWTs are encoded (Base64URL), not encrypted. The secret key only creates the signature that proves the token wasn't tampered with — it doesn't hide the contents. Never put sensitive data in a JWT payload.

What are exp, iat, and nbf?

Standard time claims, as Unix timestamps: exp is when the token expires, iat when it was issued, and nbf ("not before") the earliest moment it's valid. This tool converts each to a readable date and tells you if the token is expired.

Why does my token fail to decode?

A JWT must be three Base64URL sections separated by dots. Common issues: extra whitespace or line breaks from copying, a truncated token, or an opaque session ID that isn't a JWT at all.