JWT decoder
Paste a JSON Web Token to decode its header and payload, read the claims, and check expiry instantly. Everything runs in your browser — the token is never uploaded.
How it works
Paste your token
Drop in any JWT — an access token, ID token, or API key in JWT form.
Decode instantly
The header and payload are decoded locally and pretty-printed, with the signature shown separately.
Read the claims
Standard claims are labelled, and exp/iat/nbf are converted to human dates with an expiry check.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three parts — header, payload and signature — separated by dots. The header and payload are only Base64URL-encoded, not encrypted, so they can be decoded by anyone.
That's why this decoder runs entirely in your browser: there's no reason to send a token to a server just to read it, and doing so would be a security risk. We decode and inspect — we never verify signatures, which would require your secret key.
Frequently asked questions
Is this JWT decoder safe?+
Yes. Decoding happens entirely in your browser — the token is never sent to any server. That makes it safe to inspect real tokens, though you should still avoid sharing production tokens publicly.
Does it verify the signature?+
No. A JWT signature can only be verified with the secret or public key, which you should never paste into a web tool. This decoder shows the signature but does not validate it — it's for inspecting the header and payload.
What is a JWT made of?+
A JSON Web Token has three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims like sub, exp, and custom data), and the signature. The header and payload are not encrypted — anyone can decode them.
What do exp, iat and nbf mean?+
They are time-based registered claims expressed as Unix timestamps: iat (issued at), nbf (not before — the token isn't valid until this time), and exp (expiration). This tool decodes each into a human-readable date and flags whether the token has expired.
Is a JWT encrypted?+
No — a standard JWT is signed, not encrypted. The payload is only Base64URL-encoded, so never put secrets in it. Use JWE if you need encryption.
More free developer tools
Browser-based, no sign-up. Explore the full Avenra toolset.