JWT decoder that keeps your token private
Paste a JWT and see its header and payload decoded instantly, with exp and iat as human-readable dates and a clear expired/valid badge — decoded locally, never uploaded.
Your token never leaves the browser.
Decode JWTs without handing them to a stranger
A JWT is just base64url-encoded JSON, but reading one by hand means splitting on dots, padding the base64, and converting Unix timestamps in your head. Worse, pasting a live production token into a random online decoder hands a valid credential to a third-party server — a real risk many teams overlook while debugging an auth issue at speed.
This decoder runs entirely in your browser. Paste a token and the header and payload appear as formatted JSON, with exp, iat, and nbf converted to human-readable local times and a badge that tells you at a glance whether the token is still valid or already expired — the answer to the most common JWT debugging question. Nothing is sent anywhere; the token never leaves your machine.
How to decode a JWT
- 1
Paste the token
Copy the JWT from your Authorization header, cookie, or local storage and paste it in. Decoding happens instantly and locally.
- 2
Read header and payload
The header shows the algorithm and token type; the payload shows every claim as formatted JSON — sub, iss, aud, roles, and any custom claims.
- 3
Check the expiry badge
exp and iat are converted to readable local times, and a badge states clearly whether the token is valid or expired and since when.
JWT decoder FAQ
Is this JWT decoder free?
Yes. It is completely free with no signup and no limits.
Is my token sent to a server?
No. The token is decoded with JavaScript in your browser and never leaves your machine. That matters: a live JWT is a working credential, and pasting it into a server-side tool exposes it.
Does it verify the signature?
No — it decodes the header and payload only. Signature verification requires the signing secret or public key and should happen in your backend, never in a public tool.
Why does my token show as expired?
The exp claim is a Unix timestamp; if it is earlier than now, the token is expired and most APIs will reject it with a 401. Check whether your client refreshes tokens before expiry.
What are exp, iat, and nbf?
Standard JWT claims: iat is when the token was issued, exp is when it expires, and nbf is the earliest time it may be used. All three are Unix timestamps, which this tool converts to readable dates.
Explore more
Capabilities
By framework
Compare
Debugging auth errors in production?
Expired tokens and 401s are easier to fix when you see the full failing request. AllStak error tracking captures auth errors with request context, breadcrumbs, and the release they started in — so you find the root cause, not just the symptom.