Loading tools...
Loading tools...
Decode JSON Web Tokens instantly. Inspect header, payload, claims, and expiry. Base64URL decoding — no server, no logging.
Paste a JWT token above to decode it
Or click Load Sample to try an example
Header, payload, claims, expiry — everything decoded and presented clearly.
Decodes the Base64URL header and displays the signing algorithm (alg), token type (typ), and any other header claims in pretty-printed JSON.
Decodes the payload and highlights standard claims: iss, sub, aud, exp, nbf, iat, jti. Shows human-readable descriptions for each registered claim.
Automatically checks the exp claim against the current time and shows a "Valid", "Expired", or "No expiry" badge. Converts Unix timestamps to readable dates.
Handles the Base64URL encoding variant used by JWTs, which replaces + with - and / with _ and omits padding. Supports Unicode characters in payload values.
Shows the raw Base64URL signature. Includes a clear note that signature verification requires the secret or public key and should be performed server-side.
Gracefully handles malformed tokens, wrong number of parts, invalid Base64, and JSON parse errors. Shows clear messages for each failure mode.
A JSON Web Token consists of three Base64URL-encoded parts separated by dots: Header (algorithm and token type), Payload (claims about the subject), and Signature (used to verify the token has not been tampered with). The header and payload can be decoded by anyone — only the signature requires the secret key to verify.
No. Signature verification requires the secret or public key used to sign the token, which is not available client-side. This tool decodes and displays the header, payload, and raw signature. To verify signatures, use a server-side library like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java). Never trust JWT claims without verifying the signature.
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. This tool shows a "Valid" or "Expired" badge by comparing exp against the current time. Always validate expiry server-side — client-side clocks can be manipulated.
Disclaimer: This tool is provided for informational and educational purposes only. Preview renderings are approximations and may differ from actual platform displays due to platform updates, caching, or rendering differences. We fetch publicly available metadata and do not store or share your URLs. Platforms may cache old data even after you update your content—use their official debug tools to refresh caches. ZIRA Software is not liable for any decisions made based on this tool's output.