JWT Decoder

Paste a JSON Web Token to read its header, payload and expiry. Decoding happens entirely in your browser — your token is never sent anywhere.

How to decode a JWT

  1. Paste your token into the box above. It decodes automatically as you type.
  2. Read the header (which algorithm signed it) and the payload (the claims — user id, roles, expiry and so on).
  3. Check the claims table to see, at a glance, when the token was issued and whether it has expired.

Decoding is not verifying

A JWT has three dot-separated parts: header.payload.signature. The first two are just base64url-encoded JSON — anyone can read them, which is exactly what this tool does. The signature is what proves the token is genuine, and checking it requires the secret (for HS256) or public key (for RS256). That verification must happen on your server. This page deliberately never asks for your key, because a decoder should never need it.

What the timestamps mean

Payloads often include iat (issued-at), exp (expiry) and nbf (not-before), all as Unix timestamps in seconds. The tool converts them to readable dates and tells you whether the token is still valid or already expired — handy when you are debugging a 401 and wondering if the token simply timed out.

Is it private and safe?

Yes — and for tokens that matters. Many online JWT tools send your token to their server to decode it, which can leak live session tokens. Toolyard decodes entirely in your browser: your token is never uploaded, logged or transmitted. Still, treat production tokens with care and rotate anything you have pasted into any website.

Frequently asked questions

Is decoding the same as verifying?

No. Decoding reads the header and payload. Verifying checks the signature with the key, which happens on your server — not in a decoder.

Why can anyone read a JWT?

The header and payload are base64url-encoded, not encrypted. Encoding is not secrecy — never store passwords or secrets in a payload.

Is my token sent anywhere?

Never. It is decoded in your browser and is not uploaded or logged. You can even go offline after the page loads.

What are iat, exp and nbf?

Issued-at, expiry and not-before times, as Unix timestamps in seconds. The tool shows them as dates and flags expired tokens.

Why does my token show as invalid?

A JWT needs three parts separated by dots and each must be valid base64url. A truncated or malformed token cannot be decoded.