JWT decoder
Decode a JSON Web Token and read its header and payload — without verifying the signature.
Related tools
JWT decoder
Paste a JSON Web Token and this decoder splits it into its dot-separated parts, decodes the Base64URL header and payload, and formats both as readable JSON. Use it to debug login flows, inspect access and ID tokens from OAuth and OpenID Connect providers, check which claims your backend actually issues, or find out why a request keeps coming back as 401.
Time claims are the most common reason to open a token. With the date option enabled, the decoder lists exp (expiry), iat (issued at) and nbf (not before) a second time as ISO 8601 timestamps, so you can see at a glance whether a token has already expired or is not valid yet. The tally under the output shows the signing algorithm from the header and how many claims the payload carries.
One thing this tool deliberately does not do: verify the signature. Checking a signature requires the signing secret or the issuer's public key, and a secret pasted into a web page is a secret leaked. The decoder shows the token's contents and always marks the signature as not verified — treat every decoded token as unauthenticated data.
Decoding happens entirely in your browser; the token never leaves your device and nothing is sent to any server. That matters more here than almost anywhere else, because even a short-lived staging token grants access to something. Tokens wrapped across several lines and values copied with a Bearer prefix are cleaned up automatically before decoding.