{ }jsonkit
Tools/Validate/JWT Decoder
Search tools…⌘K
Format
{ }JSON Formatter
≡→JSON Minifier
\"JSON Escape / Unescape
Validate
JSON Validator
±JSON Diff / Compare
§JSON Schema Generator
JWT Decoder
Convert
→csvJSON to CSV
csv→CSV to JSON
⇄ymlJSON ⇄ YAML
⇄xmlJSON ⇄ XML
→tsJSON to TypeScript
Query
$.JSONPath / JQ Tester
Generate
Mock JSON Data Generator

JWT Decoder

Decode header, payload and signature — with expiry check.
processes as you type · client-side
Sample
Upload
⧉ Copy output ⌘C
Download
Share
Clear
Token180 B · paste or drop a file
1
Decoded
✗ Expired — exp Wed, 08 Jul 2026 08:00:00 GMTHS256
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "usr_8x42",
  "name": "Ada Lovelace",
  "iat": 1751961600,
  "exp": 1783497600
}
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
✓ decoded — 3 segments180 B → —0.0 msLn 1, Col 1UTF-8

About JWT Decoder

The JWT decoder splits a JSON Web Token into its three parts — header, payload and signature — and decodes the base64url-encoded header and payload into readable JSON. It also reads the standard time claims so you can see at a glance whether a token has expired.

Decoding happens entirely in your browser. The token you paste is never uploaded, which matters because JWTs frequently carry access credentials — you can safely inspect a real production token without it leaving your machine.

It is built for developers debugging auth: check what claims a token carries, confirm the issuer and audience, see when it was issued and when it expires, and understand why a request is being rejected.

How it works

Base64url decoding

A JWT is three base64url-encoded segments joined by dots. The decoder converts the header and payload from base64url — which uses - and _ instead of + and / and drops padding — back into JSON, so you can read the claims directly.

Why the signature can't be verified here

The third segment is a signature computed by the issuer using a secret or private key. Without that key the signature cannot be validated, and the key should never be pasted into a web tool. The decoder shows the signature but does not claim the token is authentic — treat decoded claims as unverified.

Expiry and time claims

The decoder reads the registered claims exp (expiry), iat (issued-at) and nbf (not-before), which are Unix timestamps in seconds. It shows human-readable times and flags a token whose exp is in the past as expired.

Standard claims explained

Alongside the timestamps you will typically see iss (issuer), aud (audience), sub (subject) and jti (token id). These identify who issued the token, who it is for and which principal it represents — useful when a token works against one service but not another.

Frequently asked questions

Does decoding a JWT verify that it is valid?

No. Decoding only reveals the claims; it does not check the signature. A token could be tampered with or forged and still decode. Signature verification requires the issuer's secret or public key, which you should never paste into a web tool.

Is it safe to paste a real access token here?

The decoding is done entirely in your browser and the token is never uploaded, so it does not leave your machine. That said, treat any token you paste anywhere as potentially exposed and rotate it if in doubt.

Why can't the tool validate the signature?

The signature is computed with a secret or private key held only by the issuer. Without that key it is impossible — by design — to verify the signature, and entering a secret into any online tool is unsafe.

How do I tell if a token is expired?

The decoder reads the exp claim, a Unix timestamp in seconds, and marks the token expired if that time is in the past. It also shows iat and nbf so you can see the full validity window.

My token won't decode — what's wrong?

A JWT must have three dot-separated base64url segments. If a part is missing, truncated, or the encoding is corrupted, decoding fails. Make sure you copied the whole token with no line breaks.