JWT Decoder
Paste a JWT to decode the header and payload claims. Timestamps auto-convert, expiry status shown, color-coded parts.
JWT Decoder is coming soon. In the meantime, try the JSON → CSV converter, which has flattening built in.
How it works
Base64url decode the header and payload
A JWT has three base64url-encoded segments separated by dots. The tool decodes the first two (header and payload) using base64url decoding. The signature is shown but not verified — verification requires the signing key.
Claims are annotated and timestamps converted
Standard registered claims (iss, sub, aud, exp, iat, nbf, jti) are labeled with their RFC 7519 descriptions. Timestamp values are automatically converted to ISO dates with relative time (e.g., 'expired 3h ago').
Example
Inspecting an OAuth2 access token from an authorization server
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJleHAiOjE3MDUzOTg0MDB9.signature
Header: { "alg": "RS256", "typ": "JWT" }
Payload: { "sub": "user_123", "email": "alice@example.com", "exp": 1705398400 }
exp → 2024-01-16 08:00:00 UTC (expired 3d ago)The exp claim is automatically converted from a Unix timestamp to a human-readable date with expiry status.
Frequently asked questions
Is it safe to decode a JWT in the browser?
Yes — JWTs are base64url-encoded, not encrypted. The content is readable by anyone who has the token. This tool only decodes (reads the claims) — it cannot verify the signature without the signing key.
What is the difference between decoding and verifying a JWT?
Decoding reads the header and payload. Verification checks the cryptographic signature to confirm the token was signed by the expected party and hasn't been tampered with. Always verify server-side — never trust decoded claims from a client-only decode.
Related Tools
All conversions run in your browser — nothing is uploaded.
Browse all 26 converters →