03 / DEVELOPER
JWT Decoder
Inspect a JSON Web Token: decode the header and payload, surface expiry, and read claims. This tool decodes only — it does not verify the signature.
Decode-only
This tool decodes the token's header and payload. It does NOT verify the signature — never trust an unverified JWT in production.
How to use
- 1Paste your token into the input box. We split it into header, payload and signature on the dots.
- 2The header and payload show as formatted JSON. Standard timestamp claims (exp, iat, nbf) are converted to your local time below the JSON.
- 3If the payload has an exp claim that's already in the past, an Expired badge appears at the top of the payload card.
- 4Use Copy on any panel to grab the decoded JSON.
Frequently asked questions
Does this verify the signature?
No. JWT verification needs the signing secret or public key, which only the issuer has. This tool only decodes the base64url-encoded segments — never trust an unverified JWT in production.
Are tokens stored or logged?
No. The token never leaves the page. We don't write it to localStorage, send it to a server, or log it anywhere.
What algorithms are supported?
All of them, because we don't validate. The decoder doesn't care whether the token is HS256, RS256, ES256 or unsigned (alg=none) — it just parses the header and payload.
Why are some claims shown as both numbers and dates?
JWT timestamps are seconds since the Unix epoch. Showing both the raw number and the human-readable local time helps you cross-reference logs and debug expiry issues quickly.