Developer Tools
JWT Decoder
Decode JWT tokens locally — header, payload, and human-readable claims.
Updated July 7, 2026
How to use the jwt decoder
- 1Paste the JWT — decoding happens as you type.
- 2Read the header (algorithm) and payload (claims) tables.
- 3Check the converted dates on exp/iat/nbf; expired tokens are flagged.
- 4Copy either section as formatted JSON if you need it elsewhere.
Common uses
- Debugging why an API rejects a token (usually: it expired)
- Inspecting what claims and roles your auth provider actually issues
- Learning JWT structure with a real token safely
- Checking token lifetimes when tuning session behavior
Frequently asked questions
Is it safe to paste a real token here?
Safer than the usual JWT sites: this decoder runs entirely client-side, so the token is never transmitted. Still, treat production tokens like passwords — prefer decoding expired or test tokens when you can, and rotate anything you suspect leaked.
What are the three parts of a JWT?
Header (algorithm and type), payload (the claims — user ID, roles, expiry), and signature, separated by dots. Header and payload are just base64url-encoded JSON, which is why anyone can read them; only the signature requires a key.
Does decoding verify the token is valid?
No — and this matters. Decoding reads the claims; verification checks the signature against the issuer's key to prove the claims weren't forged or altered. This tool decodes only, so treat the output as 'what the token says,' not 'what is true.'
What do exp, iat, and nbf mean?
Standard time claims as Unix timestamps: iat is when the token was issued, exp when it expires, nbf the earliest moment it's valid. The decoder converts each to a readable local date and flags tokens past their exp.
About this tool
The JWT decoder splits a JSON Web Token into its header and payload and renders every claim in a readable table — with time claims like exp, iat, and nbf automatically converted to local dates and expired tokens flagged. The critical difference from most JWT sites: decoding happens entirely in your browser. JWTs are live credentials — pasting one into a website that processes it server-side hands your session to a stranger — so a local-only decoder is the only kind you should use with real tokens. Note the distinction it can't erase: decoding shows what a token claims; only signature verification with the secret or public key proves the claims are authentic.
Like everything on UtilityBase, the jwt decoder runs entirely in your browser — nothing you enter is uploaded or stored on a server. It's free to use with no account required. Browse more developer tools here.
Was this tool helpful?
Related tools
Base64 Encoder / Decoder
Encode text to Base64 or decode it back — full Unicode support.
Developer Tools
JSON Formatter
Format, validate, and minify JSON with precise error locations.
Developer Tools
Timestamp Converter
Convert Unix timestamps to human dates and back — seconds or milliseconds.
Developer Tools
Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text, live.
Developer Tools
Color Contrast Checker
Check WCAG contrast ratios between text and background colors — AA and AAA.
Developer Tools
CSV to JSON Converter
Convert CSV to JSON and JSON back to CSV — quotes and commas handled properly.
Developer Tools