Free online JWT decoder
Paste a JSON Web Token to instantly decode and inspect its contents. This JWT
decoder splits the token into its three parts, Base64url-decodes the header and
payload, and pretty-prints them as readable JSON — all live as you type. It also
converts the standard iat, nbf, and exp
timestamps into human-readable dates and warns you when a token has expired. It
is perfect for debugging authentication flows, inspecting access tokens, and
understanding what claims an API is sending.
How to decode a JWT
- Copy your token and paste it into the box above.
- Read the decoded Header and Payload as formatted JSON.
- Check the issued, not-before, and expiry dates, and watch for an expired flag.
- Click Copy header or Copy payload to grab either section.
Decoding is not verifying
A JWT is only Base64url-encoded, not encrypted, so anyone can read its payload — that is exactly what this tool does. Decoding a token tells you nothing about whether it is authentic or still valid. The signature must be checked on your server with the correct key before you trust any claim. If you want to inspect the raw encoding by hand, try the Base64 decoder, and to tidy up a decoded payload use the JSON formatter.
Private by design
Every part of the decode runs in your browser with JavaScript. Your token is never uploaded or logged, so it is safe to inspect sensitive access tokens and credentials. When you are finished, click Clear to wipe the box.