Don's Tools · Developers · JWT Decoder

JWT decoder

Read the header and payload of a JSON Web Token, right in your browser. Nothing is uploaded.

Works offline and privately: the token is decoded in your browser and is never uploaded. Decoding only reads the contents; it does not verify the signature, so it does not prove the token is authentic. Do not trust a token just because it decodes.
JWT Decoder is a free developer tool that decodes JSON Web Tokens entirely in your browser, with nothing uploaded. It shows the header and payload as formatted JSON and turns the standard time claims into readable dates with an expiry status. It only reads the token and does not verify the signature, so decoding alone does not prove a token is authentic.

Frequently asked questions

Is my token uploaded anywhere?

No. The JWT is decoded entirely in your browser and is never sent to a server, so even sensitive tokens stay on your device. It works offline once loaded.

Does it verify the signature?

No. It decodes and shows the header and payload, but it does not check the signature, so a token that decodes is not proven to be authentic. Treat decoding as inspection only.

What do exp, iat and nbf mean?

They are standard time claims: exp is when the token expires, iat is when it was issued, and nbf is the earliest time it is valid. They are shown as readable dates with an expiry status.

Is it safe to paste a real token here?

Because everything stays in your browser, the token is not transmitted. Still, treat live tokens with care and avoid pasting them on shared or untrusted devices.

Why does my token fail to decode?

A JWT has parts separated by dots, encoded with base64url. If the token is truncated or altered, the parts cannot be decoded and a clear message is shown.