Decode a JWT (JSON Web Token) instantly and inspect its header, payload and signature. Paste your token to read the claims in plain JSON, check expiry, and optionally verify the signature — all client-side, so your tokens never leave the browser.
Paste any JSON Web Token and the decoder splits it into its three parts and Base64-decodes the header and payload into readable JSON. See the algorithm, claims like iss, sub, exp and iat, and spot problems at a glance.
Quickly tell whether a token has expired and, when you supply a secret or public key, verify the signature for HS256 or RS256. It is the safe way to decode and debug JWT tokens without pasting them into a remote service.
Anyone can decode a JWT — the payload is only Base64-encoded, not encrypted. Always verify the signature server-side before trusting a token. This tool helps you inspect tokens during development and debugging.
Paste the JWT into the input. The decoder shows the header and payload as formatted JSON and indicates whether the token has expired.
Yes. Decoding happens entirely in your browser — the token is never sent to a server, so even production tokens stay private.
No. Decoding only reads the Base64 payload, which is not encrypted. To trust a token you must verify its signature, which you can do here by providing the secret or public key.
You can verify common algorithms including HS256 (shared secret) and RS256 (public/private key).