JWT Decoder Free

Paste a JSON Web Token to read its header, payload, and claims — with expiry and issued-at shown as readable dates. Decoded in your browser, never uploaded.

🎫 JWT

Paste a JSON Web Token to decode it.

Decoded locally in your browser — the token is never uploaded. The signature is not verified.

✅ Decoded

Header, payload, and claims.

🎫Paste a JWT to see its contents.

Read any JWT without trusting a website

A JSON Web Token is made of three Base64URL-encoded parts — a header, a payload, and a signature — joined by dots. The header and payload are readable by anyone; only the signature proves the token hasn't been tampered with. This decoder shows you the header and payload so you can inspect claims like the subject, issuer, scopes, and expiry while debugging authentication.

Because everything is decoded locally, you can safely paste tokens that contain personal or session data — nothing is transmitted. Remember to verify the signature server-side before you rely on a token in production.

FAQ

Frequently asked questions

Does this verify the token's signature?

No. This tool decodes the header and payload so you can read the claims — it does not verify the signature. A JWT's payload is only Base64URL-encoded, not encrypted, so anyone can read it. Always verify the signature on your server before trusting a token.

Is my token sent to a server?

No. Decoding happens entirely in your browser with JavaScript. Your token never leaves the page, so it's safe to decode tokens that contain sensitive claims.

What do iat, exp, and nbf mean?

They are standard JWT time claims, stored as Unix timestamps: 'iat' (issued at) is when the token was created, 'exp' (expires) is when it becomes invalid, and 'nbf' (not before) is the earliest time it may be used. This tool converts them to readable dates and flags expired tokens.

Why can I read the payload without a password?

Because a standard JWT is signed, not encrypted. The signature guarantees the token wasn't altered, but the contents are plainly readable. Never put secrets in a JWT payload.

Keep API keys and tokens out of your codebase

Pyalm Vault stores developer credentials with end-to-end encryption, segregated by type and company — the server only ever sees ciphertext.

Explore Pyalm Vault