JWT Decoder & Inspector

Paste any JWT token and instantly decode the header, payload, and claims. Expiry status, timestamps, and all standard claims shown clearly.

JWT Token

Tip: Press Ctrl+Enter to decode. Your token never leaves your browser.

About JWT Decoder & Inspector

A JWT (JSON Web Token) consists of three Base64URL-encoded parts: header, payload, and signature. This tool decodes the header and payload instantly, shows all claims in a readable format, converts Unix timestamps to human dates, and tells you whether the token is valid, expired, or not yet active.

How It Works

  1. Copy your JWT token from your app, browser DevTools, or Postman
  2. Paste it into the input field
  3. Click Decode Token or press Ctrl+Enter
  4. Inspect header, payload, claims, and expiry status

Key Features

  • Decodes JWT header and payload instantly
  • Shows expiry status: valid, expired, or not yet valid
  • Auto-converts exp, iat, nbf timestamps to readable dates
  • Displays all standard and custom claims
  • Show / hide signature for security
  • 100% browser-based — tokens never leave your device

Frequently Asked Questions

How do I decode a JWT token?
A JWT has three parts separated by dots. The first two (header and payload) are Base64URL-encoded JSON — paste the full token here and they are decoded instantly in your browser. The third part is the signature and cannot be decoded into meaningful data without the secret key.
What claims does a JWT contain?
Standard JWT claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), nbf (not before), and jti (JWT ID). Most auth providers like Auth0, Firebase, and Cognito add custom claims for roles, email, and permissions.
Is it safe to paste my JWT token into this tool?
Yes — this tool runs entirely in your browser. Your token is decoded using JavaScript locally and is never sent to any server. That said, treat JWT tokens like passwords: avoid sharing them in public, rotate them regularly, and use short expiry times in production.
How do I check if a JWT token is expired?
The exp claim in the payload is a Unix timestamp (seconds since 1970). If exp is less than the current time, the token is expired. This tool does that check automatically and shows you a clear Valid or Expired status badge along with the exact expiry date and time.

Learn more: Developer Tools Guide