JWT Decoder — Decode and inspect a JWT

Paste a JWT (often Authorization: Bearer …): instant JSON for header and payload, readable iat / exp / nbf, expiry warnings. No external libraries — everything stays in your browser.

JWT decoding

No network calls, no CDN libraries. The signature shown is not verified (you need the key or certificate for the algorithm).

Live decode · Ctrl+V or +V

Try a token:

How it works

  1. A JWT has three Base64url segments separated by dots: header, payload, signature.
  2. Header and payload are JSON; they are decoded and pretty-printed.
  3. Fields iat, exp, nbf (Unix seconds) are shown in both French and English locale formats.
  4. The signature is not validated here: without the shared secret or asymmetric keys, only the segment presence is shown.

Frequently asked questions

How do I decode a JWT?
Paste the full string in the field: Base64url decoding of header and payload is automatic. Extra spaces and line breaks are ignored.
Is it safe to decode a JWT here?
Processing is local in your browser on this page. Do not paste production tokens on untrusted devices; payloads may contain sensitive data.
How do I check JWT expiry?
If the exp claim is present, compare it to the current time — the tool spells it out and shows alerts.
JWT vs session cookie?
Server sessions often keep state in the app; a JWT carries data in the payload and can flow without a stored session, with trickier revocation.