JWT Decoder & Verifier - Decode JSON Web Tokens Online
Decode JSON Web Tokens in your browser. Inspect header, payload, expiry, and standard claims. Decoding only — no signature verification, no upload.
Signatures are not verified — this tool only decodes.
Paste any JWT (three base64url segments separated by dots) and see its decoded header, payload, and signature. Common time-related claims (exp, iat, nbf) are converted to a human-readable date with an expired/valid badge. This tool is read-only and runs entirely on the client — it never has the secret, so it cannot verify the signature. Use it for debugging auth flows, inspecting tokens from OAuth/OIDC providers, and reviewing claims during a security audit.
How to use
- 1
Paste your JWT
Drop the encoded JWT — three base64url segments separated by dots — into the input area.
- 2
Inspect header and payload
The decoded header and payload appear as pretty-printed JSON. Standard claims like exp, iat, nbf are converted to dates.
- 3
Check expiry
An Expired / Valid badge shows whether the token's exp claim has passed (signature is not verified).
- 4
Copy the decoded JSON
Use Copy on either panel to grab the decoded JSON. Everything stays in your browser — the token is never uploaded.
FAQ
Q.Does this verify the signature?
No. Signature verification requires the issuer's secret or public key. This tool only decodes — it tells you what's inside the token, not whether it's authentic.
Q.Is the token sent to a server?
No. Decoding is pure base64url + JSON parsing — both happen in your browser. There is no network call.
Q.What if the token doesn't have three segments?
JWS Compact Serialization requires exactly three dot-separated segments. Anything else (an opaque session ID, a JWE, a JWS in JSON serialization) won't decode here.
Q.Can I edit the payload and re-encode?
Not here. Forging a token requires resigning with the issuer's secret, which we don't have. Use a CLI tool with the secret to mint test tokens.