Free, browser-based utilities for everyday developer workflows

Decode a JWT token and inspect its claims

A JWT is three Base64url segments. Decode the header and payload to read the claims, check exp and iat, and diagnose auth issues — decoding never verifies the signature, so treat the contents as unverified.

Open this example in JWT Decoder

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in JWT Decoder →

The problem

Auth is failing and you need to see what is actually inside the token: which algorithm, which subject, when it expires. Pasting a JWT into a random site is risky because tokens are credentials. You want to decode it locally and read the claims without sending it anywhere.

Sample input

JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyLTQyIiwicm9sZSI6ImFkbWluIiwiZXhwIjoxNzAwMDAwMDAwfQ.3Q9m0n

This is a sample; the signature segment is illustrative.

Expected output

Decoded payload
{
  "sub": "user-42",
  "role": "admin",
  "exp": 1700000000
}

The header decodes to {"alg":"HS256","typ":"JWT"}. The exp claim is a Unix timestamp — compare it to now to see if the token is expired.

How to do it

  1. Copy the JWT.
  2. Paste it into the decoder.
  3. Read the decoded header and payload.
  4. Check the exp claim against the current time.
  5. Confirm the alg and any custom claims.

Common mistakes

  • Assuming a decoded token is verified — decoding does not check the signature.
  • Pasting a real production token into an untrusted site.
  • Reading exp as milliseconds when JWT uses seconds since the epoch.
  • Confusing the URL-safe Base64url segments with standard Base64.
  • Editing a claim and expecting the token to stay valid.

Related tools

Related guides

FAQ

Does decoding a JWT verify it?

No. Decoding only reads the Base64url header and payload. Verifying the signature is a separate step that needs the signing key; treat decoded claims as unverified.

How do I tell if a JWT is expired?

Read the exp claim, which is a Unix timestamp in seconds, and compare it to the current time. If exp is in the past, the token is expired.

Why are the JWT segments not standard Base64?

JWT uses Base64url, which replaces + and / with - and _ and drops padding, so the token is safe in URLs and headers.

Is it safe to paste a token here?

Decoding runs entirely in your browser and the token is never uploaded. Still, avoid pasting long-lived production credentials into any tool you do not control.

Can I edit claims and re-sign?

This tool decodes and inspects only. Changing a claim invalidates the signature, so a tampered token will fail verification on the server.

JWT decoding runs locally in your browser. The token is never uploaded, and decoding does not verify the signature.

Explore more security and debugging tools

Decode tokens, inspect certificates, redact secrets and sanitize captures — grouped in one place.

View the security & debugging toolkit →