Instantly decode any JSON Web Token to inspect its header, payload claims, and expiry status. Runs entirely in your browser — your token never leaves your device.
A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims between parties. They're widely used for authentication and authorization — your login session, OAuth access tokens, and API keys are often JWTs.
A JWT has three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims like user ID, expiry, roles), and the signature (cryptographic proof the token wasn't tampered with).
This tool runs entirely in your browser — no data is sent to any server. That said, treat JWTs like passwords: avoid pasting production tokens into any online tool when possible. Use this for development and debugging.
No — signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which you should never share. This tool decodes and inspects the header and payload only.
The exp claim is a Unix timestamp. If the current time is past that timestamp, the token is expired and should be rejected by any properly implemented server.
iat (issued at) is when the token was created. nbf (not before) is the earliest time the token is valid. exp (expiration) is when it expires. All three are Unix timestamps (seconds since Jan 1, 1970).