quialo.

JWT Decoder

The signature is NOT verified. Decoding is purely cosmetic.

Anyone can read or craft these claims. Never trust an unverified JWT for authentication or authorization. Verification needs the signing key on a server.

Paste a JWT above to see its decoded header, payload, signature, and claims.

Decoding happens in your browser. Nothing is sent to a server, so it is safe to paste a token while debugging.

Paste a JSON Web Token and this tool splits it on the dots, base64url decodes the header and payload, and pretty prints each as JSON. It also pulls out the standard registered claims (iss, sub, aud, exp, nbf, iat, jti), shows the time claims as readable dates, and tells you whether the token is expired or not yet valid. It runs entirely in your browser, so your token never leaves your device. Note that this is a decoder, not a verifier. It shows what a token claims, not whether the signature is valid.

How to use

  1. Copy your JSON Web Token from your app, logs, or an Authorization header.
  2. Paste it into the token box. You can include or strip the Bearer prefix, just paste the three dot separated parts.
  3. Read the decoded header, payload, and signature, shown alongside a table of standard claims.
  4. Check the claim table for a human readable expiry and an expired or not yet valid flag.
  5. Use the Copy buttons to grab any part, or Reset to clear the field.

Examples

  • Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c. Output header: {"alg": "HS256", "typ": "JWT"}. Output payload: {"sub": "1234567890", "name": "John Doe", "admin": true}.
  • A payload with exp set to a past time shows the exp claim flagged as expired, with how long ago it lapsed.
  • Input with only two parts (header.payload) returns the error: A JWT must have 3 parts separated by dots. This input has 2.

FAQs

Does this tool verify the token signature?
No. It only decodes the header and payload so you can read the claims. It never checks the signature, so do not treat a decoded token as trusted or authentic. Signature verification needs the secret or public key and should happen on your server.
Is my token sent anywhere?
No. All decoding runs in your browser using built in functions. The token is never uploaded, logged, or sent to any server.
Why do I get an error about base64url encoding?
JWT parts use base64url, which allows letters, digits, hyphen, and underscore but no plus, slash, or spaces. If a part was truncated, re wrapped, or copied with stray characters, decoding fails. Copy the full token again and try once more.
What does the third part of the token mean?
The third part is the signature. This tool shows it as raw base64url text but does not decode or verify it, because it is a cryptographic value rather than JSON. It exists so a server can confirm the token has not been tampered with using the signing key.
How does it flag an expired token?
It reads the exp claim, treats it as seconds since the epoch, and compares it to your current time. If exp is in the past the claim is marked expired and a banner appears. The nbf claim is handled the same way and is marked not yet valid when its time has not arrived. This is a convenience readout, not signature verification, so still verify on a server before trusting anything.
My payload has accented characters. Will they show correctly?
Yes. The payload is decoded as UTF-8, so multibyte characters such as accented names or non Latin scripts are preserved in the output.

Related tools