🔓JWT Decoder (Header / Payload)
Decode JWT header and payload. See expiry and issuer at a glance. No signature verification — use for debugging only. Useful for API auth debugging, expired token diagnosis, OAuth flow analysis, and SSO token inspection.
How to use
- 1Paste your JWT token.
- 2Header and payload are decoded automatically.
- 3exp/iat times display in human-readable form.
FAQ
Is the signature verified?+
No — decoding only. Signature verification requires a secret key, which can't be done safely on the client.
Does the token leave the browser?+
No. All decoding happens locally. But pasting your auth token into any public tool is a leak risk — be careful with production tokens.
What is JWT?+
JSON Web Token — a standard for auth tokens joining Header.Payload.Signature with dots. Carries auth info to the client without server-side state.
What do exp, iat, iss mean?+
exp (expiration time), iat (issued at), iss (issuer), sub (subject). Standard claims from RFC 7519.
Can passwords go inside a JWT?+
No. JWT is just Base64URL-encoded, not encrypted — anyone can decode it. Never put sensitive info in the payload.
How do I know if a token is expired?+
If the exp claim's Unix timestamp is less than the current time, it's expired. This tool flags expiry automatically.