Developer Tools

JWT Decoder

Decode a JWT's header and payload locally — with an expiry check. No verification, no upload.

That does not look like a valid JWT (expected three dot-separated Base64 parts).

        
        

        

Decoding happens locally — the token never leaves your browser. This tool decodes only; it does not verify the signature.

About this tool

Debugging auth means reading tokens. Paste a JWT and instantly see its decoded header and payload as pretty-printed JSON, plus a clear expired/valid badge based on the exp claim.

Decoding happens entirely in your browser — critical, since pasting production tokens into a random website's server would be a security incident. Note this tool decodes only; it does not verify the signature.

How to use

  1. Paste the JWT.
  2. Read the decoded header, payload and expiry status.

Frequently asked questions

Decoding is 100% local — the token never leaves your browser. Still treat production tokens carefully and rotate any that may have leaked.

JWTs are signed, not encrypted — Base64 hides nothing. Never put secrets in a JWT payload.

No — verification requires the signing key and belongs on your server. This tool is for inspecting contents.