Free JWT Decoder — Inspect Token Header & Payload Online
Decode and inspect JWT tokens — header, payload, and signature — without any verification.
About this tool
Paste any JWT (JSON Web Token) to instantly decode and inspect its header and payload. See all claims including expiry time (exp), issued-at (iat), issuer (iss), and custom claims. The signature section is displayed but not verified — this tool is purely for inspection and debugging.
Key Features
- Decode JWT header and payload with formatted JSON output
- Displays all standard claims: exp, iat, nbf, iss, aud, sub
- Human-readable expiry and issued-at timestamps
- Signature section shown for reference (not verified)
- 100% browser-based — tokens never leave your device
Frequently Asked Questions
Does this tool verify the JWT signature?
No. This tool only decodes (base64url-decodes) the header and payload portions of the JWT for inspection. Signature verification requires the secret key or public key and is not performed here.
Is it safe to paste my JWT here?
All decoding happens entirely in your browser — nothing is sent to any server. That said, JWTs may contain sensitive claims, so avoid pasting production tokens in shared or public environments.
What are JWT claims?
Claims are key-value pairs in the JWT payload that describe the token subject. Standard claims include sub (subject/user ID), exp (expiry timestamp), iat (issued at), iss (issuer), and aud (audience). Applications also add custom claims.
Why does my JWT show as expired?
The exp (expiration) claim is a Unix timestamp. If the current time is past that timestamp, the token is considered expired. This tool displays the human-readable expiry time so you can see at a glance whether the token is still valid.