ToolWren logo ToolWren
ToolWren › JWT

JWT Decoder

Paste a JSON Web Token to instantly read its header and payload as formatted JSON, and see whether it has expired. Decoding happens entirely in your browser.

100% client-side · nothing is uploaded

Loading tool…

How to use the JWT

  1. Paste your JSON Web Token into the box — a leading Bearer prefix is removed automatically.
  2. The header, payload and registered claims (with human-readable dates) appear instantly, along with an expiry status.
  3. To verify the signature, tick Verify signature, choose the algorithm, and paste the secret (HS*) or public key (RS/ES/PS*).
  4. Click Verify to confirm whether the signature is valid. All processing stays in your browser.

Privacy: this tool runs entirely in your browser. Your input is never sent to, received by, or stored on any server — there are no uploads and no tracking of what you enter.

About JWT

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It has three Base64URL-encoded parts separated by dots: header.payload.signature.

Header, payload and signature

The header describes the signing algorithm (e.g. HS256, RS256). The payload contains claims such as sub, iat and exp. The signature is computed over the header and payload with a secret or private key to prove integrity.

Decoding is not verifying

This tool decodes and displays the token contents, including a friendly expiry check based on the exp claim. It does not verify the signature, which requires the secret/public key. Never trust a token's claims without verifying its signature server-side.

Frequently asked questions

Does this tool verify the JWT signature?
No. It only decodes the header and payload for inspection. Signature verification needs the signing key and should happen on your server.
Is it safe to paste a real token?
Decoding is done locally in your browser and nothing is transmitted. That said, treat production tokens as secrets and avoid pasting them into tools you don't trust. This tool's source is fully client-side and inspectable.
Why does it say my token is expired?
The payload's exp claim is a Unix timestamp. If that moment is in the past, the token is expired and most servers will reject it.
What are iat, nbf and exp?
iat = issued-at time, nbf = not-valid-before time, exp = expiry time. All are Unix timestamps in seconds.

Related tools

🔏 JWT Generator🛰️ CoAP📦 CBORAll Tokens →