Debugging authentication issues or inspecting a token from an API response? Paste any JWT here to instantly decode its header, payload, and signature — with automatic expiration detection. Your token never leaves your browser.
Last Updated: May 20, 2025Privacy: 100% Local Browser Processing
What is the Jwt?
A JWT (JSON Web Token) Decoder parses the three Base64URL-encoded segments of a JWT into their readable JSON components: the Header (algorithm and token type), the Payload (claims like user ID, roles, expiration), and the Signature. JWTs are the standard authentication mechanism for modern web applications, OAuth2 flows, and API authorization. This tool displays each section with syntax highlighting, detects expiration timestamps, and validates whether the token is currently active.
Pro Tips & Best Practices
- Never share your JWT tokens publicly — even though they are 'just' Base64-encoded, they contain your authentication credentials and can be used to impersonate you until they expire.
- If you paste a 'Bearer eyJhbG...' string, the tool automatically extracts the token. You do not need to manually remove the 'Bearer ' prefix.
- The 'iat' (issued at) and 'exp' (expires) claims are Unix timestamps. The tool converts them to human-readable dates automatically, but you can use our Timestamp Converter tool for more detailed timezone comparisons.
- This tool decodes but does not verify signatures. Signature verification requires the signing key and should only happen on the server side.
Technical Deep Dive
JWTs are structured as three Base64URL-encoded segments separated by dots: header.payload.signature. The header specifies the signing algorithm (HS256, RS256, ES256, etc.) and token type. The payload contains claims — standardized fields like 'sub' (subject/user ID), 'iss' (issuer), 'exp' (expiration timestamp), 'iat' (issued-at timestamp), and custom claims like roles and permissions. The signature is created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA). This tool decodes the first two segments using Base64URL decoding (a URL-safe variant of Base64 that replaces + with - and / with _) and parses the resulting JSON. It does NOT verify the signature — that would require the secret key, which should never be exposed in a client-side tool. The expiration detection compares the 'exp' claim (a Unix timestamp) against the current time, showing whether the token is still valid and how much time remains. The tool also handles edge cases: tokens extracted from 'Bearer ...' authorization headers, tokens embedded in cookie strings, and malformed tokens with helpful error messages.
How to Use
- 1Paste your JWT token (starting with 'eyJ...') into the input field.
- 2The tool automatically decodes the Header, Payload, and Signature.
- 3View the algorithm and token type in the Header section.
- 4Inspect claims like 'exp', 'iat', 'sub' in the Payload section.
- 5Check the expiration status — the tool shows if the token is valid or expired.
- 6Copy any section with the built-in copy buttons.
Real-World Use Cases
- Authentication debugging — decode JWTs from browser DevTools (Application → Cookies or Network → Headers) to verify that tokens contain the expected claims after login.
- API development — inspect tokens received in webhook callbacks, OAuth2 authorization code flows, or API responses to verify issuer, audience, and scope claims.
- Token expiration monitoring — check if a JWT has expired or is about to expire, which is often the cause of 401 Unauthorized errors.
- Security auditing — verify that JWTs do not contain sensitive information in the payload (passwords, credit card numbers) since the payload is only encoded, not encrypted.