JSON Web Tokens carry signed claims between services, but on the wire a JWT is just three Base64URL segments joined by dots. When a login flow misbehaves, the fastest fix is often to check the token's audience, expiry and granted scopes. Paste a token into the left editor and the right editor instantly shows the decoded header and payload as pretty-printed JSON, with the algorithm, issuer and custom claims readable at a glance.
Time claims are where most JWT bugs hide, so the decoder also renders the exp, iat and nbf values as human-readable ISO timestamps, making it obvious whether a token expired five minutes ago or came from a skewed clock. Load File, Clear, Download and Copy buttons complete the two-editor layout, so a token from a saved capture can be decoded and pasted into a bug report in seconds.
A JWT is a live credential: whoever holds it can often act as its user, so it should never be pasted into a tool that sends it to a server. This decoder does all decoding and formatting inside your browser tab; the token is never transmitted, logged or stored, and closing the page erases it.
No. It only decodes the header and payload and never checks the signature against a key. A cleanly decoded token could still be forged, so always verify signatures server-side with the proper key before trusting any claim.
Yes, because the token never leaves your device: decoding happens entirely in your browser with no network request involved. Still, treat tokens like passwords elsewhere and avoid sharing screenshots of sensitive payloads.
They are timestamps in seconds since the Unix epoch: exp is when the token stops being valid, iat is when it was issued, and nbf means it must not be accepted before that moment. The decoder converts all three to ISO date strings.