Overview
What this tool does
A JWT (JSON Web Token) is a compact, URL-safe string used to carry claims between systems. It looks like three base64url-encoded segments joined by dots: header.payload.signature. The header says what algorithm was used; the payload is a JSON object of claims (who, what, when, how long valid); the signature is a cryptographic proof the issuer produced this exact token. This decoder splits the token, base64url-decodes each part, parses the header and payload as JSON, and pulls out the common claims (issuer, subject, audience, expiry, issued-at). Expiry is shown both in your local time and as a relative phrase ("3 hours ago", "in 5 days") with a clear Valid / Expired badge. 100% client-side; the token never leaves your browser.
How to
Use it in 3 steps
- Paste your JWT into the input. The decoder runs as you type.
- Read the Header (algorithm, token type) and Payload (claims) in the pretty-printed JSON panels.
- Check the 'Key claims' grid for issuer, subject, audience, and timestamps. The Expires row shows whether the token is currently valid.
- Copy any segment to your clipboard with the small Copy buttons.
- If the token is invalid, an error banner explains what failed (wrong number of segments, malformed base64url, invalid JSON inside a segment).
FAQ
Frequently asked questions
▶Does this verify the signature?
No. This is a decoder, not a verifier. Verifying the signature requires the issuer's secret (for HS256/HS384/HS512) or public key (for RS256/ES256 etc.), which only the issuer has. Never trust an unverified payload for authorization decisions.
▶Is my token sent anywhere?
No. Decoding is pure string manipulation that happens entirely in your browser. The token never reaches a server.
▶I pasted a real-looking JWT and got 'invalid base64url'.
JWTs use the URL-safe base64 variant (- and _ instead of + and /, no padding). If your token was copy-pasted from a place that added line wrapping or HTML-escaped characters, fix that first. Whitespace inside the token is not allowed.
▶What's the difference between 'iat' and 'exp'?
Both are Unix timestamps in seconds. 'iat' (issued-at) is when the token was created. 'exp' (expiration) is when it stops being valid. The decoder displays both in your local time zone and as a human-readable relative phrase.
▶What if the token has no signature?
Unsecured JWTs use 'none' as the algorithm and have an empty third segment. They're technically valid but should never be accepted in any system that cares about authenticity. The decoder still parses them but you should treat them as untrusted.
▶How big can the token be?
JWTs are usually small (a few hundred bytes to a few KB). The decoder handles tokens of any practical size; HTTP cookies and URL query strings cap real-world JWT size long before this tool would.