Decoding happens entirely in your browser. Your token is never sent to a server, logged, or stored.
Decoding happens entirely in your browser. Your token is never sent to a server, logged, or stored.
Decode and inspect JSON Web Tokens instantly in your browser. View the header and payload, read registered claims as human-readable dates, and check token expiry — all client-side. No sign-up, nothing stored.
A JWT (JSON Web Token) is a compact, URL-safe token used to carry claims between parties — most commonly for authentication and authorization. It is made of three Base64URL-encoded segments separated by dots: header.payload.signature.
The header declares the signing algorithm, the payload holds the claims (such as the subject, issued-at time, and expiry), and the signature lets a server verify the token has not been tampered with. This tool decodes the header and payload and shows the raw signature, but it does not verify it.
Base64URL-decodes both segments and pretty-prints the JSON so the claims are easy to read.
Converts the iat, nbf, and exp timestamps into UTC dates with a relative time.
Shows a clear Expired or Valid badge by comparing the exp claim against the current time.
Displays the raw signature segment so you can inspect it — note that it is not verified.
Surfaces the signing algorithm and token type from the header up front.
Decoding runs entirely in your browser. Your token is never sent to a server or stored.
Drop a JWT (header.payload.signature) into the input, or click Load sample token to try it.
The header and payload are decoded and pretty-printed into separate read-only panels.
Registered claims like iat, nbf, and exp are shown as UTC dates with a relative time and an expiry badge.
Use the Copy buttons to grab the decoded header or payload JSON.
A JWT (JSON Web Token) is a compact, URL-safe way to represent claims between two parties. It has three Base64URL-encoded segments separated by dots: a header describing the signing algorithm, a payload holding the claims, and a signature used to verify the token's integrity.
No. This is a decoder, not a verifier. It Base64URL-decodes and displays the header and payload and shows the raw signature, but it never checks whether the signature is valid. Always verify signatures on your server with the secret or public key.
No. Decoding happens entirely in your browser using JavaScript. Your token is never transmitted to a server, logged, or stored, so it is safe to inspect sensitive tokens here.
Yes. The header and payload are only Base64URL-encoded, not encrypted, so anyone with the token can decode and read them. Never put secrets or sensitive data in a JWT payload unless the token itself is encrypted.
These are registered claims expressed as Unix timestamps in seconds. iat is when the token was issued, nbf is the time before which the token must not be accepted, and exp is when the token expires. This tool renders each as a UTC date with a relative time.
A token is shown as Expired when its exp claim is a time in the past relative to your device's clock. If the exp timestamp is in the future, the token is shown as Valid (not expired). Note this only checks expiry, not the signature.
Encrypt and decrypt text using AES encryption algorithm.
Generate MD5, SHA1, SHA256, and other hash values.
Create cryptographically secure random passwords with a live strength meter.
Create bcrypt and SHA htpasswd entries for Apache and nginx Basic Auth.