JWT Decoder

Decode and inspect JWT tokens

Input
Output 

    
  






  
  
  





  
  





  
About JWT Decoder


JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. A JWT consists of three parts separated by dots: header, payload, and signature. This tool decodes the header and payload, displays them as formatted JSON, and automatically converts Unix timestamps (exp, iat, nbf) to human-readable dates.




  

    
Q: Does this tool verify the JWT signature?

    
No. This is a decode-only tool. Signature verification requires the secret key or public key, which should never be shared with a client-side tool. Use this for inspecting token contents only.

  

  

    
Q: What are the exp, iat, and nbf fields?

    
exp (expiration time) is when the token expires. iat (issued at) is when it was created. nbf (not before) is the earliest time the token is valid. All are Unix timestamps.

  

  

    
Q: Is it safe to paste my JWT here?

    
Yes. All decoding happens in your browser — nothing is sent to any server. However, remember that JWTs are not encrypted; anyone with the token can read its contents. Treat them as sensitive.

  

  

    
Q: Where do I find my JWT token?

    
JWTs are typically found in HTTP Authorization headers (as Bearer <token>), browser cookies, or localStorage. Check your browser's DevTools Network tab or Application tab.