JWT Decoder
Header, payload and expiry decoded offline — the token never leaves your browser.
Signature (base64url — verify server-side)
Paste a token, see everything: decoded header and payload, every time-claim converted to your local timezone with relative age, an unmissable EXPIRED badge, and a security warning if the token uses the dangerous none algorithm. Decoding happens entirely on your device — open DevTools and watch: zero network requests. Testing the API the token belongs to? Our cURL to Code Converter is next door.
Frequently Asked Questions
Is it safe to paste a real JWT here?
The token is decoded entirely in your browser — no network request is made, nothing is logged or stored, and the page works offline once loaded. That said, treat production tokens like passwords as a habit: prefer expired or staging tokens when debugging in any online tool.
What exactly is inside a JWT?
Three base64url parts separated by dots: a header (algorithm + type), a payload (your claims — user id, roles, expiry), and a signature. The first two are just encoded, NOT encrypted — anyone with the token can read them, which is exactly what this decoder shows.
Does this verify the signature?
No — verification requires the secret or public key, which should never be pasted into a web page. This tool decodes and inspects claims (the debugging 95%); verify signatures server-side with your framework’s JWT library.
Why is alg=none flagged in red?
The infamous "none algorithm" attack: some old libraries accepted unsigned tokens if the header claimed alg none, letting attackers forge any identity. Servers must reject such tokens outright — the red flag reminds you to check yours does.
What do exp, iat and nbf mean?
Unix timestamps governing validity: iat = when issued, nbf = not valid before, exp = expiry. The decoder converts each to your local time with a relative description ("2 hours ago") and shows a clear EXPIRED badge when relevant.