Everything runs on your machine — your file is processed right here in your browser and never uploaded to any server.
InputJWT
Loading...
OutputJSON
Loading...

About this tool

JSON Web Tokens carry signed claims between services, but on the wire a JWT is just three Base64URL segments joined by dots. When a login flow misbehaves, the fastest fix is often to check the token's audience, expiry and granted scopes. Paste a token into the left editor and the right editor instantly shows the decoded header and payload as pretty-printed JSON, with the algorithm, issuer and custom claims readable at a glance.

Time claims are where most JWT bugs hide, so the decoder also renders the exp, iat and nbf values as human-readable ISO timestamps, making it obvious whether a token expired five minutes ago or came from a skewed clock. Load File, Clear, Download and Copy buttons complete the two-editor layout, so a token from a saved capture can be decoded and pasted into a bug report in seconds.

How to use

  1. Paste your JWT into the left editor, or click Load File to open a file containing the token.
  2. Read the decoded header and payload as pretty-printed JSON in the right editor.
  3. Check the exp, iat and nbf claims, shown with human-readable ISO timestamps.
  4. Click Copy to grab the decoded JSON, or Download to save it.
  5. Click Clear to reset both editors before decoding another token.

A JWT is a live credential: whoever holds it can often act as its user, so it should never be pasted into a tool that sends it to a server. This decoder does all decoding and formatting inside your browser tab; the token is never transmitted, logged or stored, and closing the page erases it.

Frequently asked questions

Does this tool verify the JWT signature?

No. It only decodes the header and payload and never checks the signature against a key. A cleanly decoded token could still be forged, so always verify signatures server-side with the proper key before trusting any claim.

Is it safe to paste a real production token here?

Yes, because the token never leaves your device: decoding happens entirely in your browser with no network request involved. Still, treat tokens like passwords elsewhere and avoid sharing screenshots of sensitive payloads.

What do the exp, iat and nbf claims mean?

They are timestamps in seconds since the Unix epoch: exp is when the token stops being valid, iat is when it was issued, and nbf means it must not be accepted before that moment. The decoder converts all three to ISO date strings.