Free JWT Decoder — Inspect JSON Web Tokens
Paste a JWT to see its header and payload, with timestamps translated to readable dates. Decoding happens locally — your token never leaves the browser.
⚠️ The signature is not verified — decoding only proves what the token says, not that it's authentic. Verification requires the signing secret or public key on a server.
Frequently Asked Questions
Is it safe to paste a real token here?
Decoding runs entirely in your browser — the token is never transmitted or logged. That said, treat production tokens like passwords: prefer expired or development tokens when debugging, since anyone who obtains a live token can use it.
Why can I read a JWT without the secret key?
JWTs are encoded (Base64URL), not encrypted. The secret key only creates the signature that proves the token wasn't tampered with — it doesn't hide the contents. Never put sensitive data in a JWT payload.
What are exp, iat, and nbf?
Standard time claims, as Unix timestamps: exp is when the token expires, iat when it was issued, and nbf ("not before") the earliest moment it's valid. This tool converts each to a readable date and tells you if the token is expired.
Why does my token fail to decode?
A JWT must be three Base64URL sections separated by dots. Common issues: extra whitespace or line breaks from copying, a truncated token, or an opaque session ID that isn't a JWT at all.