JWT Token Decoder

Decode and analyze JSON Web Tokens (JWT) safely in your browser.

Encoded Token

Decode a token to view details

JWT Scenarios & Examples

Standard Access Token

A typical authenticating token with subject, issuer, and expiration.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622,
  "iss": "https://auth.example.com"
}

    About this tool

    A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64URL-encoded parts separated by dots — a header, a payload of claims, and a signature. They are the backbone of stateless authentication and authorization: an API issues a signed token at login and the client sends it on every request, so the server can trust the claims without a database lookup. Because the header and payload are only encoded (not encrypted), anyone holding a token can read what's inside — which is exactly why inspecting them safely matters.

    This decoder splits a token into its header and payload, pretty-prints the JSON claims, and surfaces the standard registered claims (iss, sub, aud, exp, iat, nbf) in a readable form — including whether the token is expired and how long until it expires. All decoding happens locally in your browser using the Web platform's own Base64URL handling; your token is never transmitted, logged, or stored, so it's safe to paste production tokens.

    How to use

    1. Paste the token

      Paste a JWT (the long xxxxx.yyyyy.zzzzz string) into the input, or load a sample token.

    2. Read the header and payload

      The tool decodes both segments and pretty-prints the JSON so you can inspect the algorithm, token type, and every claim.

    3. Check expiration and timing

      Registered time claims (exp, iat, nbf) are converted to human-readable dates, and the tool flags whether the token is currently valid or expired.

    4. Copy what you need

      Copy the decoded header or payload JSON to reuse in tests, bug reports, or documentation.

    Standard JWT claims

    ClaimMeaning
    issIssuer — who created and signed the token
    subSubject — the user or entity the token is about
    audAudience — the intended recipient(s) of the token
    expExpiration time — after this the token must be rejected
    iatIssued-at time — when the token was created
    nbfNot-before time — the token is invalid until this moment

    Decoding does not verify the signature — never trust an unverified token's claims on the server.

    Frequently asked questions