How to decode a JWT
- Copy the token — from an
Authorization: Bearer …header, a cookie, or localStorage. - Paste it in. The header and payload decode live, and the status line shows the algorithm and whether the token is expired.
- Copy the decoded JSON for your bug report or debugging notes.
What's inside a JWT?
A JSON Web Token is three Base64URL segments joined by dots: a header (the signing algorithm), a payload (the claims — user ID, roles, expiry) and a signature. The first two are just encoded, not encrypted — anyone can read them, which is exactly why debugging with a decoder is fair game and why you should never put secrets in a JWT payload. The most common debugging question — "why did my API return 401?" — is answered by the exp claim nine times out of ten, so this tool checks it for you and prints the expiry as a readable date.
Frequently asked questions
Is it safe to paste a real JWT here?
Yes — decoding happens entirely in your browser, so tokens are never transmitted or logged. Still, treat production tokens like passwords; this tool is safer than server-based decoders precisely because nothing leaves your machine.
Does this verify the signature?
No — signature verification requires the secret or public key, which only the issuing server should have. This tool decodes the header and payload, which is what you need for debugging claims and expiry.
What do exp, iat and sub mean?
exp is expiry and iat issued-at (Unix timestamps — the tool translates exp and flags expired tokens). sub is the subject, usually the user ID; aud and iss identify audience and issuer.