Free JWT Decoder

JWT decoder

Paste a JSON Web Token to decode its header and payload, read the claims, and check expiry instantly. Everything runs in your browser — the token is never uploaded.

Encoded token
Decoded in your browser — the token is never sent anywhere. Signatures are shown but not verified.

How it works

Step 1

Paste your token

Drop in any JWT — an access token, ID token, or API key in JWT form.

Step 2

Decode instantly

The header and payload are decoded locally and pretty-printed, with the signature shown separately.

Step 3

Read the claims

Standard claims are labelled, and exp/iat/nbf are converted to human dates with an expiry check.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three parts — header, payload and signature — separated by dots. The header and payload are only Base64URL-encoded, not encrypted, so they can be decoded by anyone.

That's why this decoder runs entirely in your browser: there's no reason to send a token to a server just to read it, and doing so would be a security risk. We decode and inspect — we never verify signatures, which would require your secret key.

Frequently asked questions

Is this JWT decoder safe?+

Yes. Decoding happens entirely in your browser — the token is never sent to any server. That makes it safe to inspect real tokens, though you should still avoid sharing production tokens publicly.

Does it verify the signature?+

No. A JWT signature can only be verified with the secret or public key, which you should never paste into a web tool. This decoder shows the signature but does not validate it — it's for inspecting the header and payload.

What is a JWT made of?+

A JSON Web Token has three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims like sub, exp, and custom data), and the signature. The header and payload are not encrypted — anyone can decode them.

What do exp, iat and nbf mean?+

They are time-based registered claims expressed as Unix timestamps: iat (issued at), nbf (not before — the token isn't valid until this time), and exp (expiration). This tool decodes each into a human-readable date and flags whether the token has expired.

Is a JWT encrypted?+

No — a standard JWT is signed, not encrypted. The payload is only Base64URL-encoded, so never put secrets in it. Use JWE if you need encryption.

More free developer tools

Browser-based, no sign-up. Explore the full Avenra toolset.