JWT Decoder & Expiration Checker

Decode JWT tokens, inspect claims, and check expiration timestamps. All processing is done locally in your browser.

The JWT Inspector requires JavaScript. Enable JavaScript in your browser to use this page.

/* When JavaScript is unavailable there is no client-only island to hydrate, so hide the decorative skeleton and collapse the reserved min-height. The route-level <RequiresJavaScript> notice becomes the sole fallback UI instead of stacking a fake tool shell underneath it. */ .client-only-island-shell { min-height: 0 !important; } .client-only-island-shell__placeholder { display: none; }

How to decode a JWT

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header that specifies the signing algorithm, a payload containing claims like sub, roles, and exp, and a signature that helps verify the token has not been tampered with.

JWT structure

header.payload.signature

JWTs are commonly used for API authentication, single sign-on (SSO), and session management. This inspector decodes the header and payload so you can read the claims, check expiration timestamps, and debug token issues without sending the token anywhere.

JWT decoder examples

Decode a JWT from an API response to inspect its claims
Check the exp (expiration) and iat (issued at) timestamps in a token
Verify which signing algorithm (HS256, RS256, etc.) a token uses
Debug an "invalid token" error by inspecting the payload structure
Read the sub, iss, and aud claims to understand a token's scope

How to use this JWT decoder

Paste a JWT into the text area.
The inspector immediately decodes and displays the header and payload as formatted JSON.
Expiration information is highlighted. You can see at a glance whether the token is still valid or has expired.

JWT decoder FAQ

Does this JWT decoder verify the signature?

This tool decodes and displays the token contents but does not verify the cryptographic signature. Signature verification requires the signing secret or public key, which should never be pasted into a web tool. Use a server-side library for signature validation.

How is my JWT processed?

All decoding happens entirely in your browser, and the token is never sent to any server. That said, JWTs often contain sensitive claims like sub, role names, email addresses, or permissions, so avoid sharing them in public channels regardless of the tool you use.

What do JWT claims mean?

iss: issuer, the system that created the token.
sub: subject, usually the user or entity the token represents.
aud: audience, the intended recipient of the token.
exp: expiration time, usually stored as a Unix timestamp.
iat: issued-at time.
nbf: not-before time; the token is not valid before this moment.

Why does my token show as three sections?

A JWT is always three Base64URL-encoded parts separated by dots:

header.payload.signature

The header declares the algorithm, the payload carries the claims, and the signature protects integrity. This tool decodes the first two parts, which are encoded, not encrypted.

Privacy

All JWT decoding happens entirely in your browser. Your tokens are never transmitted to any server; the Base64URL decoding runs locally in JavaScript.