JWT Decoder

Decode a JSON Web Token's header and payload. Runs 100% in your browser — tokens never leave the page.

Your token is decoded in your browser. Nothing is sent to any server.

JWT

Token has expired at 2026-03-20 00:00:00 UTC.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Country Devs",
  "iat": 1773360000,
  "exp": 1773964800,
  "role": "admin"
}

// iat: 2026-03-13 00:00:00 UTC
// exp: 2026-03-20 00:00:00 UTC

Signature (raw, not verified)

cB7uJwMeHh6o_4xxoZTC7yl2a3ZcUC5x9Rkw9dPx4a4

How to decode a JWT

1
Paste your JWTDrop the full token (header.payload.signature) into the input.
2
See header & payloadBoth sections are Base64URL-decoded and pretty-printed.
3
Check expirationWe compute iat/exp from the payload and flag expired tokens.

Frequently asked questions

Is my token sent to your server?

No. Decoding runs entirely in JavaScript in your browser. Your token never touches our servers or logs.

Does this verify the signature?

No. Verification requires the signing key, which should never be shared in a tool like this. Use your server-side library for verification.

Which algorithms are supported?

All of them — we only decode the header and payload, which is algorithm-independent.

What does the expiration check do?

If the payload contains `exp`, we compare it to the current browser time. Expired tokens get a red badge.

Related tools

Base64 Encoder / Decoder

Encode and decode Base64 text. Supports UTF-8, URL-safe variant, and line-wrapping.

JSON Formatter

Format, validate, minify, and auto-fix JSON in your browser. Fixes trailing commas, unquoted keys, single quotes, comments, and more.

Password Generator

Generate strong random passwords in your browser. Custom length, character sets, exclude ambiguous chars.

Building a SaaS product?

We design, build, and scale SaaS platforms — from auth and billing to dashboards and APIs.

See SaaS services Start a project

Built by CountryDevs · No signup · No ads · No tracking