JWT Decoder — Decode and inspect a JWT
Paste a JWT (often Authorization: Bearer …): instant JSON for header and payload, readable
iat / exp / nbf, expiry warnings. No external libraries — everything stays in your browser.
JWT decoding
No network calls, no CDN libraries. The signature shown is not verified (you need the key or certificate for the algorithm).
Live decode · Ctrl+V or ⌘+V
Try a token:
🔵 Header
🟣 Payload
🔴 Signature
Not verified — secret or public key required depending on algorithm (HS256, RS256, etc.).
Preview
How it works
- A JWT has three Base64url segments separated by dots: header, payload, signature.
- Header and payload are JSON; they are decoded and pretty-printed.
- Fields
iat,exp,nbf(Unix seconds) are shown in both French and English locale formats. - The signature is not validated here: without the shared secret or asymmetric keys, only the segment presence is shown.
Frequently asked questions
- How do I decode a JWT?
- Paste the full string in the field: Base64url decoding of header and payload is automatic. Extra spaces and line breaks are ignored.
- Is it safe to decode a JWT here?
- Processing is local in your browser on this page. Do not paste production tokens on untrusted devices; payloads may contain sensitive data.
- How do I check JWT expiry?
- If the
expclaim is present, compare it to the current time — the tool spells it out and shows alerts. - JWT vs session cookie?
- Server sessions often keep state in the app; a JWT carries data in the payload and can flow without a stored session, with trickier revocation.