All decoding runs in your browser. Your tokens are never uploaded.
What is a JWT Decoder?
A JSON Web Token (JWT) is a compact, URL-safe string of three Base64URL-encoded parts separated by dots: header.payload.signature. It's the most common format for authentication tokens in modern APIs (OAuth, OpenID Connect, Auth0, AWS Cognito, Firebase…). The first two parts are JSON metadata you can read by simply Base64URL-decoding them — that's exactly what this tool does. It decodes the header (algorithm, type), the payload (your claims: who, what, when, expiry) and shows the signature as-is. Standard time claims `iat`, `exp` and `nbf` are converted to human-readable dates with timezone, and an at-a-glance status badge tells you whether the token is active, expired or not yet valid. Decoding happens entirely in your browser — your tokens never touch our servers.
Features
- Decode standard JWTs and Base64URL-encoded JOSE tokens
- Pretty-printed header and payload with JSON syntax highlighting
- Auto-recognized claims: iat / exp / nbf with readable dates and timezone
- Status badge: Active · Expired · Not yet valid (with relative time)
- Algorithm and type detection (HS256, RS256, ES256, none, …)
- Try sample tokens with one click
- 100% browser-only — tokens are never sent to a server
How to use
- Paste a full JWT (header.payload.signature) into the input field.
- The header and payload are decoded instantly and shown on the right.
- Standard claims like `exp` and `iat` are highlighted with a human-readable date.
- Check the status badge — green for active, red for expired, amber for not-yet-valid.
Frequently Asked Questions
Does this tool verify the signature?
▾
No — and intentionally so. Verifying a signature requires the secret (for HS256) or the public key (for RS256/ES256), and the safe place to do that is on your server, never inside a public web page. This decoder only parses the token contents so you can inspect them.
Is my token uploaded anywhere?
▾
No. The whole decode pipeline is plain JavaScript running in your browser: Base64URL → UTF-8 → JSON.parse. Your token never leaves the page. You can verify this by opening DevTools → Network and seeing zero requests when you paste a token.
How is JWT different from Base64?
▾
A JWT is three pieces of Base64URL data joined by dots, where the first two pieces are JSON objects with a fixed schema (header and claims). Plain Base64 is just an encoding for arbitrary bytes — it has no structure or meaning.
What do `iat`, `exp` and `nbf` mean?
▾
These are registered JWT claims (RFC 7519). `iat` (issued at) is when the token was created. `exp` (expiration) is the cut-off after which the token must be rejected. `nbf` (not before) is the earliest moment the token can be accepted. All three are Unix timestamps in seconds.
Why does my token show "Expired" even though I just got it?
▾
Your computer's clock is probably ahead of the issuer's clock (clock skew). Most servers allow a few seconds of skew — but if you're off by minutes or hours, fix your system time. The `exp` value shown here is in seconds since the Unix epoch.
Is `alg: none` safe?
▾
No. A JWT with `alg: none` carries no signature and must be rejected by any production system. If you ever receive one in the wild, treat it as a malicious token. This decoder will still parse it so you can inspect it, but never trust its contents.
Related tools
Format, minify, validate and beautify JSON with inline error highlighting.
Compare two JSON documents side-by-side with line-level highlighting and key sorting.
Remove duplicates, empty rows, trim whitespace, convert UTF-8 ↔ Shift-JIS.
Convert YAML ↔ JSON with strict validation and precise error location.
Encode and decode Base64 (and Base64URL) for text or files. Real-time, browser-only.
Convert Unix timestamps (seconds or milliseconds) to and from human-readable dates across timezones.
Test regular expressions in real time with match highlighting and presets.
Canonical: https://devformatlab.com/en/jwt-decoder