Developer Tools
JWT Decoder
Decode a JWT's header and payload locally — with an expiry check. No verification, no upload.
That does not look like a valid JWT (expected three dot-separated Base64 parts).
Decoding happens locally — the token never leaves your browser. This tool decodes only; it does not verify the signature.
About this tool
Debugging auth means reading tokens. Paste a JWT and instantly see its decoded header and payload as pretty-printed JSON, plus a clear expired/valid badge based on the exp claim.
Decoding happens entirely in your browser — critical, since pasting production tokens into a random website's server would be a security incident. Note this tool decodes only; it does not verify the signature.
How to use
- Paste the JWT.
- Read the decoded header, payload and expiry status.
Frequently asked questions
Decoding is 100% local — the token never leaves your browser. Still treat production tokens carefully and rotate any that may have leaked.
JWTs are signed, not encrypted — Base64 hides nothing. Never put secrets in a JWT payload.
No — verification requires the signing key and belongs on your server. This tool is for inspecting contents.