Skip to main content
Utilnivo

Developer

JWT Decoder

  • Browser-based
  • No signup

Paste a JWT to decode its header and payload as readable JSON. Optional Bearer prefixes are supported. Common time claims (iat, nbf, exp) are shown as timestamps with expiry status. The signature is displayed but not verified. Decoding runs in your browser.

JWTs bundle header, payload, and signature segments. Decoding shows claims such as subject, audience, and expiry—it does not verify that the token was issued by a trusted party or that the signature is valid.

Never paste production bearer tokens into shared machines or screen recordings. Treat decoded payloads as sensitive even when verification is skipped for debugging.

Use JWT Expiry Checker when you only need to know whether a token is expired without reading every claim.

100% Client-Side

Your data never leaves your computer.

How to use this tool

1. Paste a JWT into the input area. 2. Review decoded Header and Payload JSON in the results. 3. Check algorithm, token type, and time-related claims if present. 4. Copy header, payload, or signature sections as needed. 5. Do not paste production secrets into shared machines.

Worked example

Example: a sample JWT with alg HS256 shows the header algorithm and payload claims such as sub and exp when decoded—signature verification is not performed.

When to use this

  • Inspecting `exp` and `roles` on an access token during login debugging.
  • Comparing staging vs production `iss` and `aud` claims.
  • Confirming a session expired from the payload timestamp.
  • Teaching how JWT header and payload are structured.

Common examples

  • Access token from OAuth login → inspect `exp`, `sub`, and `roles` claims.
  • Staging vs production token → compare `iss` and `aud` without verifying signature locally.
  • Expired session token → confirm `exp` timestamp against current time in the payload view.
  • Staging ID token → confirm `aud` matches your SPA client ID before release.
  • Expired refresh token → verify `exp` claim against local clock skew.

What people search for

  • jwt decoder
  • decode jwt token
  • jwt payload viewer
  • json web token decoder
  • inspect bearer token

Common mistakes

  • Assuming a decoded token is trustworthy without signature verification.
  • Pasting production bearer tokens into untrusted third-party sites.
  • Ignoring clock skew when reading `exp` and `nbf` claims.
  • Confusing encrypted JWE tokens with plain signed JWTs.
  • check JWT expiry against current time
  • compare two JWT payloads side by side
  • decode OAuth ID token claims
  • format JSON inside JWT payload
  • debug refresh token rotation flow

How it works

Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.

Limitations

Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.

Privacy and file handling

Your data is processed in your browser and is not uploaded to our server.

Explore focused guides for common searches—each page reuses this jwt decoder with different examples and FAQs.

Frequently asked questions

Does this verify the JWT signature?

No. The tool only decodes and displays the header, payload, and signature. It does not validate signatures or trust the token.

What time claims are shown?

When present, iat (issued at), nbf (not before), and exp (expires) are shown as ISO timestamps with a simple status such as expired or active.

Is my token stored?

No. Decoding runs locally in your browser and tokens are not stored.

Part of these workflows

This tool is one step in a longer job. Jump straight to your step or open the full workflow guide.

Page last reviewed: