DevToolbox

JWT Decoder

JWT Decoder: Paste a JSON Web Token to decode its header and payload from Base64URL into readable JSON. Common time claims (iat, exp, nbf) are shown as human dates. This tool decodes only — it does not verify the signature and never sends your token anywhere, so it is safe for inspecting tokens locally.

Data as of 2026-06-13.

Signature is not verified. This tool only decodes the readable parts of the token.

How it works

A JSON Web Token has three Base64URL-encoded parts separated by dots: a header describing the signing algorithm, a payload of claims, and a signature. The header and payload are not encrypted — they are merely encoded — so anyone can read them.

This decoder splits the token, Base64URL-decodes the header and payload back to JSON, and pretty-prints them. Standard time claims (iat, nbf, exp) are shown as human-readable UTC dates, and expired tokens are flagged. It does not verify the signature and never transmits your token.

Runs fully client-side in your browser. Source: published web standards (RFCs and the WHATWG/W3C specifications), as implemented by your browser. Verified 2026-06-13.

Frequently asked questions

Does this verify the token's signature?

No. This is a decode-only inspector. Verifying a signature requires the signing secret or public key, which should never be pasted into a web page. Verify signatures in your backend instead.

Is it safe to paste a real token here?

The decoding runs entirely in your browser and nothing is sent anywhere, so it is safe for local inspection. As general practice, avoid pasting live production tokens into any online tool you do not control.

What do iat, nbf and exp mean?

They are standard registered claims: iat is the issued-at time, nbf the not-before time (the token is invalid earlier), and exp the expiry time. All are Unix timestamps in seconds, shown here as dates.

Related tools

Base64 Encode / Decode JSON Formatter & Validator URL Encode / Decode SHA Hash Generator

Last updated: 2026-06-13