Skip to content
ToolFarmToolFarm
Developer

JWT Decoder

Decode the header and payload of a JSON Web Token in your browser. No signature verification, nothing leaves your device.

2 min read

This tool decodes the token only. It does NOT verify the signature, so it cannot tell you whether the token is authentic.

What this tool does

Paste a JSON Web Token and read its header and payload as formatted JSON, instantly and entirely in your browser. The decoder splits the three base64url segments, pretty-prints the JSON, and turns the exp, iat and nbf timestamps into readable dates. It never verifies the signature and never sends the token anywhere.

Working with API payloads? Decode raw values with Base64, or pretty-print a response body with JSON formatter.

What you can use it for

  • Inspect the claims inside an access token while debugging an API.
  • Check when a token was issued and when it expires.
  • Confirm which algorithm and key id a token declares in its header.
  • Read a token's subject, scopes or custom claims without a backend.

How to use it

  1. Paste your JSON Web Token into the input area.
  2. Read the decoded header and payload as formatted JSON.
  3. Check the exp, iat and nbf claims converted to readable dates.
  4. Copy the header or the payload with a single click.

Everything runs inside your browser. No file is uploaded to any server. See more tools in this field.

Other tools people reach for in the same flow.

Developer
Developer

Base64 Encoder/Decoder

Encode and decode Base64 text, with optional URL-safe alphabet.

Popular
Developer

JSON Formatter

Format, validate and minify JSON in your browser.

Developer

UUID Toolkit

Generate, validate and convert UUIDs instantly. Supports v4, v5, v7, NIL and MAX.

Popular
Developer

Regex Tester

Test and debug regular expressions in real time, with capture groups.

Frequently asked questions

Does this tool verify the signature?

No. It only decodes the header and payload so you can read them. Verifying the signature requires the issuer's secret or public key, and doing it in the browser would give a false sense of security. Treat the result as informational, never as proof that the token is authentic.

Is my token sent to a server?

No. The decoding runs entirely in your browser with the built-in base64 functions. The token never leaves your device, which matters because access tokens are sensitive credentials.

What do exp, iat and nbf mean?

They are registered time claims. iat is when the token was issued, exp is when it expires, and nbf is the time before which it must not be accepted. They are stored as seconds since 1970, and the tool converts them to readable dates.

Why does my token show as structurally invalid?

A standard JWT has exactly three parts separated by dots: header, payload and signature. If your input has a different number of parts, or a segment is not valid base64url JSON, the tool flags it as structurally invalid while still showing whatever it could decode.

JWT Decoder · ToolFarm