JWT Decoder

Paste a JWT and see its header, payload, and signature instantly, with the expiration humanized. Everything runs in your browser — the signature is not verified and nothing is uploaded.

JWT
HEADER
PAYLOAD
SIGNATURE
    Paste a JWT

    Decoded locally — the signature is NOT verified and nothing is uploaded.

    How to decode a JWT

    A JWT (JSON Web Token) is three Base64URL-encoded parts separated by dots: header.payload.signature. This decoder splits it, Base64URL-decodes the header and payload to readable JSON, and shows the signature — entirely in your browser. It does NOT verify the signature. Paste your token above; the header and payload appear instantly and the Claims summary humanizes the timestamps.

    Decoding vs verifying

    Decoding and verifying are two different things. Decoding turns the Base64URL header and payload back into JSON — anyone can do it, no key required, and that is all this tool does. Verifying recomputes the signature with the secret or public key and confirms the token was not tampered with and has not expired. Because this page only reads the claims and never checks the signature, never trust an unverified token server-side — always verify with a library before acting on it. For the full mechanics, see Base64 in JSON Web Tokens.

    Reading token expiration

    The exp claim is a Unix timestamp in seconds — the moment after which the token must be rejected. We humanize it for you: the Claims summary converts exp, iat (issued-at), and nbf (not-before) into readable dates and flags whether the token is expired or still valid. In code, build a date with new Date(payload.exp * 1000) and treat the token as expired when payload.exp * 1000 < Date.now().

    Is it safe to paste my JWT here?

    Yes — the decoding runs fully in the browser with JavaScript, so your token is decoded locally and nothing is uploaded to any server. You can confirm in DevTools → Network: decoding fires no request. That said, treat tokens as secrets: a valid JWT can grant access until it expires, so avoid pasting production tokens into tools you do not trust.

    Frequently asked questions

    How do I decode a JWT?

    Paste the whole token into the decoder above. It splits the JWT on the dots and Base64URL-decodes the header and payload into readable JSON, locally in your browser. In code: split on ., restore Base64URL padding, replace - with + and _ with /, then base64-decode each segment and JSON.parse it.

    How can I decode a JWT without verifying the signature?

    That is exactly what this tool does. Decoding only reads the Base64URL header and payload, which need no key — verifying is a separate step that recomputes the signature with the secret or public key. This decoder never verifies; it simply shows you the claims. Just remember never to trust an unverified token on the server.

    How do I read a JWT's expiration (exp)?

    The exp claim is a Unix timestamp in seconds. Build a date with new Date(payload.exp * 1000); the token is expired when payload.exp * 1000 < Date.now(). The Claims summary on this page humanizes exp, iat, and nbf and marks whether the token is expired or valid.

    Is it safe to paste a JWT into an online decoder?

    Here, yes — this decoder runs entirely in your browser and the token is never sent to a server. In general, treat tokens as secrets and be cautious: avoid pasting production tokens into tools you do not trust, since a valid JWT can grant access until it expires.

    Need plain Base64 encode/decode?

    The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.

    Open base64.dev →