JWT Decoder

Paste any JSON Web Token and this tool instantly splits it into its three parts, base64url-decodes the header and payload, and pretty-prints the JSON inside. Standard timestamp claims — exp (expiry), iat (issued at) and nbf (not before) — are translated into human-readable dates, and the tool tells you at a glance whether the token is still valid or already expired.

JWTs are everywhere: OAuth 2.0 and OpenID Connect flows, session cookies, API keys, webhook signatures. When authentication misbehaves, the fastest diagnostic step is usually to look inside the token — check the audience, the scopes, the expiry, the issuer. This decoder makes that a two-second job.

Because tokens are credentials, privacy matters: this page performs all decoding in your browser with plain JavaScript. The token never leaves your machine and nothing is logged. Note that decoding is not verification — the signature is displayed but not checked, since verification requires the secret or public key.