JWT Decoder

Decode JWT header and payload locally, inspect common claims, and catch expiration or audience mistakes without sending tokens to an API.

Decode only. This does not verify the JWT signature, issuer, audience or trust level.
Decoded JWT 

        

    

                

            
                    

                        
How to use this tool

                        
    
                                                            
  1. Paste a JWT token into the input field.
    2. 
                                                            
  2. Decode the header and payload locally in the browser.
    3. 
                                                            
  3. Review exp, iat, nbf, iss, aud and sub claims.
    4. 
                                                            
  4. Verify the signature on your server or with a trusted library before trusting the token.
    5. 
                                                    

                    


                    

                        
Common mistakes

                        
    
                                                            
  • Treating decoded JWT content as trusted without signature verification.
    • 
                                                            
  • Pasting production user tokens into untrusted pages.
    • 
                                                            
  • Ignoring timezone and expiration differences when debugging auth failures.
    • 
                                                    

                    


                    

                        
FAQ

                        

                                                            

                                    Does this verify JWT signatures?
                                    
No. It decodes header and payload only. Signature verification requires the correct secret or public key.

                                

                                                            

                                    Is the token sent to a server?
                                    
No. The decode runs locally in your browser.

                                

                                                            

                                    Why do exp values look like numbers?
                                    
JWT time claims are usually Unix timestamps in seconds. The tool converts common claims to readable dates.

                                

                                                    

                    


                        

        
Related tools

        

                                                
                        JSON
                        JSON Validator and Formatter
                        
Validate JSON, format it for reading, or minify it for compact API payloads without sending data to an external API.

                    
                                                                
                        OpenAI
                        OpenAI API Request Checker
                        
Statically inspect an OpenAI API request body for common JSON and parameter mistakes before sending it to the API.

                    
                                                                
                        Time
                        Unix Timestamp Converter
                        
Convert Unix timestamps to readable dates, generate current timestamps and debug log, JWT and scheduling issues.

                    
                                    

    

                            

        
Related guides and fixes

        

                                                
                        JWT
                        Debug JWT exp, iat and nbf Claims
                        
JWT time bugs often come from seconds versus milliseconds, timezone confusion or trusting decoded payloads without signature verification.

                    
                                                                            
                        JWT
                        JWT Expired But Token Looks Valid Fix
                        
A decoded JWT can look fine while still being expired, not yet valid, signed with the wrong key or meant for a different audience.

                    
                                    

    

                        
Last updated: May 17, 2026