ToolsePulseToolsePulse

JWT Decoder

Decode and inspect JSON Web Tokens. View header, payload, signature, and decoded timestamps. Spot expired tokens instantly.

FreeNo signupPrivate

JWT Decoder runs 100% in your browser

Your files are never uploaded to any server. All processing happens locally on your device using modern browser technology. Private, fast, and free.

How to Decode and Inspect a JWT (JSON Web Token)

1

Open the JWT Decoder

Navigate to the tool. No signup, no logs.

2

Paste your JWT

Drop in any JWT — typically a long base64url string with two dots like xxxxxx.yyyyyy.zzzzzz.

3

Read the decoded header and payload

The header (algorithm, key ID) and payload (claims like sub, iat, exp) appear as readable JSON.

4

Check expiration and timestamps

Standard claims (exp, iat, nbf) are shown as readable dates with how long ago or until — catch expired tokens at a glance.

Pro Tips

  • JWTs have three parts: header.payload.signature — separated by dots, all base64url-encoded.
  • exp is the expiration time in seconds since 1970. iat is when the token was issued. nbf is "not before" — the earliest time it is valid.
  • The signature cannot be verified without the signing key — this decoder shows you the contents only. Never trust a JWT’s claims without verifying the signature server-side.
  • If your payload has nested JSON inside a claim (like permissions), it displays as a string — paste the inner JSON into the JSON Formatter tool to pretty-print it.
  • For Authorization headers, paste just the part after "Bearer " — the decoder handles whitespace and prefixes leniently.

Who needs JWT Decoder?

Students

Academic work and assignments

Professionals

Business and office tasks

Creatives

Design and content creation

Everyone

Personal everyday tasks

When to Use JWT Decoder

Debugging auth failures

Paste the rejected token to see if it is expired, has the wrong audience claim, or is missing a required permission.

Inspecting OAuth tokens

Decode access tokens from OAuth flows to understand the scopes and claims your identity provider is issuing.

API integration

When integrating with a service that issues JWTs, decode samples to learn the exact claim names and value formats.

Security review

Verify that JWTs do not contain sensitive data they should not — the payload is readable by anyone with the token.

Frequently Asked Questions

Does the decoder verify the signature?

No. Signature verification requires the secret or public key, which we do not and should not have. Use this tool to inspect contents — always verify signatures server-side with the real key.

Can I decode any JWT?

Yes, as long as it follows the standard header.payload.signature structure and uses base64url encoding (which all JWTs do).

What if my token is not valid?

The decoder shows a clear error pointing to which part failed (header parse, payload parse, base64 decode). Most often it is a copy-paste truncation or extra whitespace.

Is it safe to paste a production token?

Decoding happens entirely in your browser — nothing is sent to a server. That said, a JWT is a credential. If your screen is shared or recorded, the decoded payload is visible.

Why are my dates showing as numbers?

JWT timestamps (iat, exp, nbf) are stored as seconds since 1970. The decoder converts them to human-readable dates with relative time ("expires in 2h") next to the raw values.

JWT Decoder vs Alternatives

JWT decoding is a routine debugging task. Popular options vary in privacy and convenience.

jwt.io

Auth0’s JWT debugger

Key difference: Excellent, but the token is pasted into a third-party site — not ideal for production tokens. Adds signature verification UI which can be useful.

Command-line decoding

echo TOKEN | cut -d. -f2 | base64 -d

Key difference: Works but awkward, does not handle base64url properly without flags, no human-readable date formatting.

Browser DevTools

atob() in console

Key difference: Fine for one part at a time, but requires manual splitting and url-safe base64 fixes.

Our advantage

Decode in your browser, see all three parts at once, human-readable timestamps, no third-party logging of your tokens.

Good to know

  • All processing happens in your browser. Very large files may be slower on mobile devices or older computers.
  • Results depend on the quality and format of your input. For best results, use high-quality source files.
  • Once you close the browser tab, all data is gone. Make sure to download your results before closing.

Key Features

100% Free

No hidden fees, no premium tiers, no limits on how much you use it. Free today, free tomorrow, free forever.

Complete Privacy

Your files never leave your device. Everything is processed locally in your browser — we physically cannot access your data.

No Registration

Start using the tool immediately. No account, no email, no personal information required. Just open and use.

Works Everywhere

Compatible with Chrome, Firefox, Safari, and Edge on desktop and mobile. Works offline once the page has loaded.

Full Step-by-Step Guide

Detailed walkthrough with pro tips and best practices for getting the best results every time.

Read guide

Frequently Asked Questions

Every common question answered — file limits, privacy, supported formats, compatibility, and more.

View FAQ

Compare Alternatives

See how JWT Decoder stacks up against Adobe, Smallpdf, and other paid and free alternatives.

Compare now

Related Tools You Might Need

Base64 Encoder/Decoder

Encode and decode Base64 strings

JSON Formatter & Validator

Format and validate JSON data

UUID Generator

Generate v4 UUIDs in bulk