About this tool
A JSON Web Token is a compact, URL-safe way to represent claims between two parties. It has three Base64URL segments — header, payload and signature — separated by dots.
Decoding a token lets you inspect its claims while debugging authentication: check the algorithm, the subject, and whether the token has expired.
Decoding is not verification. Never paste production signing keys into any website — this tool only reads the public parts of the token, locally.
Frequently asked questions
How do I decode a JWT token?
Paste the token into the box above. A JWT has three dot-separated Base64URL parts — header, payload and signature — and this tool decodes the header and payload into readable JSON instantly, in your browser. Decoding only reads the token; it never verifies or uploads it.
Is it safe to paste a token here?
Yes. Decoding happens entirely in your browser — the token never leaves your device.
Does this tool verify signatures?
No. It decodes the header and payload for inspection. Verification requires your secret or public key, which you should never paste into a website.
Why is my token marked as expired?
The exp claim is compared against your system clock. An expired token still decodes, but servers will reject it.