Utilz
JWT Decoder
Decode and inspect JWT tokens instantly
Decoding only — signature is not verified
Want to learn more? Read our guide: JWT & JSON Security Essentials
Why Use This Tool?
- Decode JWT tokens instantly to inspect the header, payload, and expiration status.
- Check if a token is expired at a glance with the built-in expiration indicator.
- All decoding happens in your browser -- your tokens are never sent to any server.
How It Works
A JWT consists of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm (e.g., HS256), the payload contains claims (data), and the signature verifies the token has not been tampered with.
How to Use
- Paste your JWT token into the input field
- The header and payload are decoded and displayed as formatted JSON
- Check the expiration status (valid or expired) based on the exp claim
FAQ
Does this tool verify the JWT signature?
No. This tool only decodes the header and payload by base64-decoding. It does not verify the signature because that requires the secret key or public key.
What is a JWT token?
A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication. It consists of three parts separated by dots: header, payload, and signature.
Is it safe to paste my JWT here?
Yes. All decoding happens in your browser. The token is never sent to any server. However, you should still avoid sharing tokens publicly as they may contain sensitive claims.
What does the "exp" claim mean in a JWT?
The "exp" (expiration time) claim is a Unix timestamp indicating when the token expires. After this time, the token should no longer be accepted. This tool checks and displays the expiration status.
Is it safe to paste my JWT token into this tool?
Yes. All decoding happens in your browser. No data is sent to any server. However, never share your JWT tokens publicly, as they may contain sensitive information.