UtilityBase logoUtilityBase

Developer Tools

JWT Decoder

Decode JWT tokens locally — header, payload, and human-readable claims.

Updated July 7, 2026

How to use the jwt decoder

  1. 1Paste the JWT — decoding happens as you type.
  2. 2Read the header (algorithm) and payload (claims) tables.
  3. 3Check the converted dates on exp/iat/nbf; expired tokens are flagged.
  4. 4Copy either section as formatted JSON if you need it elsewhere.

Common uses

  • Debugging why an API rejects a token (usually: it expired)
  • Inspecting what claims and roles your auth provider actually issues
  • Learning JWT structure with a real token safely
  • Checking token lifetimes when tuning session behavior

Frequently asked questions

Is it safe to paste a real token here?

Safer than the usual JWT sites: this decoder runs entirely client-side, so the token is never transmitted. Still, treat production tokens like passwords — prefer decoding expired or test tokens when you can, and rotate anything you suspect leaked.

What are the three parts of a JWT?

Header (algorithm and type), payload (the claims — user ID, roles, expiry), and signature, separated by dots. Header and payload are just base64url-encoded JSON, which is why anyone can read them; only the signature requires a key.

Does decoding verify the token is valid?

No — and this matters. Decoding reads the claims; verification checks the signature against the issuer's key to prove the claims weren't forged or altered. This tool decodes only, so treat the output as 'what the token says,' not 'what is true.'

What do exp, iat, and nbf mean?

Standard time claims as Unix timestamps: iat is when the token was issued, exp when it expires, nbf the earliest moment it's valid. The decoder converts each to a readable local date and flags tokens past their exp.

About this tool

The JWT decoder splits a JSON Web Token into its header and payload and renders every claim in a readable table — with time claims like exp, iat, and nbf automatically converted to local dates and expired tokens flagged. The critical difference from most JWT sites: decoding happens entirely in your browser. JWTs are live credentials — pasting one into a website that processes it server-side hands your session to a stranger — so a local-only decoder is the only kind you should use with real tokens. Note the distinction it can't erase: decoding shows what a token claims; only signature verification with the secret or public key proves the claims are authentic.

Like everything on UtilityBase, the jwt decoder runs entirely in your browser — nothing you enter is uploaded or stored on a server. It's free to use with no account required. Browse more developer tools here.

Was this tool helpful?

Related tools