Security
JWT Decoder (Client-side)
Paste a JWT to decode the header and payload without sending data to a server.
The JWT Decoder reads the header and payload sections of a JSON Web Token and displays them as formatted JSON. It also interprets the `exp` claim to show when the token expires and whether it is currently valid.
Decoded output
Header, payload, and expiration status.
Expiration
-
Expires at
-
Header
-
Payload
-
What this tool does
The JWT Decoder reads the header and payload sections of a JSON Web Token and displays them as formatted JSON. It also interprets the `exp` claim to show when the token expires and whether it is currently valid. All decoding happens locally in your browser, so you can inspect tokens without sending them to a server.
When to use this tool
Use it when debugging authentication issues, inspecting access tokens in a staging environment, or reviewing the claims included in a JWT. It pairs well with Timestamp Converter if you need to confirm a specific epoch time. It is also helpful during security reviews when you want to verify which scopes or user IDs are embedded in a token.
How it works
The tool splits the JWT into its three parts, Base64URL-decodes the header and payload, and parses the JSON. It checks for the `exp` field and compares it to the current time. No signature verification is performed, so the output should be treated as a readable view of the token contents, not proof of authenticity.
Example use case
A client reports that their session expires earlier than expected. You paste their JWT, inspect the `exp` and `iat` claims, and confirm the token lifetime is shorter than intended. You then share the expiration timestamp with the backend team and adjust the config to extend the token duration.
Use cases
- Check token expiration during a login issue.
- Review claims and scopes for access debugging.
- Inspect the header algorithm in a staging token.
Notes & limitations
This tool does not verify signatures, issuer trust, or revocation status. Tokens can be tampered with, so never rely on decoded values for security decisions. Avoid pasting production tokens on shared devices, and remember that even locally decoded tokens can still contain sensitive information.
JWT timestamps such as `exp` and `iat` are expressed in seconds since the Unix epoch, not milliseconds. If you see a date far in the future, check whether the issuer is using milliseconds. Always inspect the `alg` header to understand the signature algorithm expected by your backend.
