JWT Decoder: Read Token Payload
Decode the header and payload of a JSON Web Token online. No signature verification, free and in your browser, nothing leaves your device.
This tool decodes the token only. It does NOT verify the signature, so it cannot tell you whether the token is authentic.
What this tool does
Paste a JSON Web Token and read its header and payload as formatted JSON, instantly and entirely in your browser. The decoder splits the three base64url segments, pretty-prints the JSON, and turns the exp, iat and nbf timestamps into readable dates. It never verifies the signature and never sends the token anywhere.
Working with API payloads? Decode raw values with Base64, or pretty-print a response body with JSON formatter.
What you can use it for
- Inspect the claims inside an access token while debugging an API.
- Check when a token was issued and when it expires.
- Confirm which algorithm and key id a token declares in its header.
- Read a token's subject, scopes or custom claims without a backend.
How to use it
- Paste your JSON Web Token into the input area.
- Read the decoded header and payload as formatted JSON.
- Check the exp, iat and nbf claims converted to readable dates.
- Copy the header or the payload with a single click.
Everything runs inside your browser. No file is uploaded to any server. See more tools in this field.
Pairs well with
Other tools people reach for in the same flow.
- Base64 Encoder and Decoder
encode and decode Base64 text
Essential when debugging an API.
- JSON Formatter and Validator
format and validate JSON
Essential when debugging an API.
- UUID Generator and Validator
work with UUIDs
Strong fit in developer workflows.
- Unix Timestamp Converter
convert Unix timestamps and dates
Strong fit in developer workflows.
- Secure Password Generator
generate a secure password
Essential when debugging an API.
Related tools
DeveloperBase64 Encoder and Decoder
Encode and decode Base64 text online, with an optional URL-safe alphabet. Runs in your browser, nothing is uploaded to a server.
JSON Formatter and Validator
Format, validate and minify JSON online. Beautify messy JSON or compact it in one click, free and entirely in your browser, no upload.
UUID Generator and Validator
Generate, validate and convert UUIDs online: v4, v5, v7, NIL and MAX. Instant and free, in your browser, no upload to any server.
Unix Timestamp Converter
Convert Unix epoch timestamps to readable dates and back online, in seconds or milliseconds. Free and in your browser, no upload.
Frequently asked questions
Does this tool verify the signature?
No. It only decodes the header and payload so you can read them. Verifying the signature requires the issuer's secret or public key, and doing it in the browser would give a false sense of security. Treat the result as informational, never as proof that the token is authentic.
Is my token sent to a server?
No. The decoding runs entirely in your browser with the built-in base64 functions. The token never leaves your device, which matters because access tokens are sensitive credentials.
What do exp, iat and nbf mean?
They are registered time claims. iat is when the token was issued, exp is when it expires, and nbf is the time before which it must not be accepted. They are stored as seconds since 1970, and the tool converts them to readable dates.
Why does my token show as structurally invalid?
A standard JWT has exactly three parts separated by dots: header, payload and signature. If your input has a different number of parts, or a segment is not valid base64url JSON, the tool flags it as structurally invalid while still showing whatever it could decode.

