Skip to content

Developer

JWT Decoder

Decode a JSON Web Token's header and payload, with expiry and issued-at rendered as readable dates. Runs entirely in this tab, which matters more here than anywhere else on the site — pasting a production token into a server-side decoder hands someone your credentials.

Runs entirely in your browser

Loading tool…

How it works

  1. 01Paste the token.
  2. 02The header and payload decode instantly, with timestamps rendered as readable dates.
  3. 03Expiry is checked against your clock and flagged.

Questions

Is it safe to paste a production token here?
Safer than anywhere that decodes server-side, because nothing is transmitted — decoding happens in this tab. That said, treat any token you have pasted anywhere as worth rotating; the habit matters more than any single tool's promise.
Why doesn't it verify the signature?
Verification needs the signing key. A tool that asked you to paste your secret in order to check a token would create a far worse problem than the one it solves.
What do exp, iat and nbf mean?
exp is when the token expires, iat when it was issued, and nbf the earliest time it is valid. All are Unix timestamps in seconds, which is why they are shown converted alongside the raw value.