JWT Decoder

What is JWT Decoder?

JWT Decoder is a free online tool that decodes and inspects JSON Web Tokens (JWT) so developers can read the contents of an access token, ID token, or bearer token without guessing. Paste a token in the standard header.payload.signature format and it base64url-decodes the header and payload, pretty-prints both as formatted JSON, and renders the iat, nbf, and exp time claims as human-readable dates with a live expired/valid badge. It is built for backend and frontend engineers, QA testers, and API integrators debugging authentication flows, OAuth/OIDC sessions, or token expiry issues. Note that this is a decoder, not a verifier — it does not check the signature, so it is for inspection only.

How to use JWT Decoder

1. Copy your JWT (header.payload.signature) from your app, browser dev tools, or an Authorization: Bearer header.
2. Paste it into the 'JWT token' text area.
3. Read the decoded, pretty-printed JSON in the Header and Payload sections below the input.
4. If the payload includes iat, nbf, or exp, check the Issued (iat), Not before (nbf), and Expires (exp) stat cards and the expired/valid badge to see the token's lifetime.
5. Use the Copy button on the Header or Payload to copy the formatted JSON, or click Clear to reset the input.

Examples

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.sig

{
  "alg": "HS256",
  "typ": "JWT"
}

not-a-jwt

Malformed token — expected header.payload.signature

Frequently asked questions

Does this tool verify the JWT signature?

No. It only decodes and displays the header and payload — it does not verify the signature. Never trust a decoded payload until the signature is validated server-side; treat the output as inspection only.

What token format does it expect?

A standard JWT with at least a header.payload section (header.payload.signature). It splits on the dots and base64url-decodes the first two segments, so the signature part is ignored during decoding.

Which time claims does it show?

It surfaces the standard numeric epoch-second claims iat (issued at), nbf (not before), and exp (expires), formatting each as a readable local date. It flags expired tokens and warns when a token is not valid yet because nbf is in the future. Stat cards only appear when at least one of these claims is present.

Is my token uploaded or sent anywhere?

No. Everything runs entirely client-side in your browser using built-in base64 and JSON decoding — your token is never uploaded to any server, which makes it safe to inspect sensitive access tokens.

Why do I get an error on a valid-looking token?

If the input has fewer than two segments or the header/payload is empty you'll see a 'Malformed token' message, and if a segment is not valid base64url-encoded JSON you'll see an 'invalid' error. Make sure you pasted the full token without extra whitespace or surrounding quotes.