free_tool
JWT Decoder & Inspector
Paste a JSON Web Token to read what it actually carries: the header and payload decoded, the claims laid out, and the issued, not-before and expiry times in plain language. It decodes in your browser and never verifies or stores the token.
Decoded in your browser. The signature is not verified (that needs the key, server-side), so never trust a token by reading it. Don't paste production secrets.
Decoding is not validation. Anyone can read or forge an unsigned token; what makes a JWT trustworthy is the signature, checked against your key on the server. Use this to inspect and debug, never to authorize.
reading_a_token
Three parts, one of which is the point
A JWT is three base64url chunks: a header (the algorithm), a payload (the claims), and a signature. The first two are just encoded, not encrypted, so this tool can show them and so can anyone who intercepts the token. Never put a secret in a payload.
The signature is the only part that matters for trust, and it's the part this tool deliberately doesn't check, because that requires the key and belongs on the server. The most common bugs live in the time claims: a token that expired hours ago, or one whose not-before is in the future because two servers disagree on the clock.
faq
Questions & answers
- Does the JWT decoder verify the signature?
- No. It decodes the header and payload only and never checks the signature, because verification needs the issuer's key and has to happen on your server. Use it to read claims and debug, not to decide whether a token is trustworthy.
- Is my token sent anywhere or stored?
- No. The token is decoded in your browser using base64url decoding and JSON parsing, and it is never sent to a server or stored. It is safe to paste a token for inspection without it leaving your machine.
- How does it show when a token was issued and expires?
- For the iat, nbf and exp claims it shows the Unix timestamp, an ISO 8601 datetime, and a relative time like in 5 days. It then labels the token as within its validity window, expired, or not yet valid based on your browser clock.
- If the payload is decoded so easily, is it encrypted?
- No. A standard JWT header and payload are base64url encoded, not encrypted, so anyone holding the token can read the claims. Never put secrets in a JWT payload.
- Can I use this to authorize requests?
- No. Decoding is not verification, and an unverified token can be forged. Verify the signature with the issuer's public key on your server before you trust any claim for authorization.
Auth flow giving you grief?
Expiry, refresh, rotation, scopes, the subtle ways token auth goes wrong. I'll design or review yours so it's secure and boring. Book a call, or leave your email.
Prefer proof first? See how this plays out in real case studies →