JWT Decoder

Decode a JSON Web Token to read its header and payload, check expiry, and optionally verify an HS256 signature — all in your browser.

Read the guide: How to Decode and Verify a JWT
JWT
Header
{
"alg": "HS256",
"typ": "JWT"
}
Payload
{
"sub": "1234567890",
"name": "DevTools",
"iat": 1516239022
}
iat
Thu, 18 Jan 2018 01:30:22 GMT

How it works

  1. 1

    Paste a JWT

    Drop the token in. The header and payload are decoded immediately.

  2. 2

    Read the claims

    Inspect standard claims like iss, sub, exp and iat, with expiry highlighted.

  3. 3

    Verify (optional)

    For HS256 tokens, paste the secret to confirm the signature is valid.

Instant & 100% private — nothing is uploaded

Everything runs locally in your browser. Your code, text and files are processed on your own device and are never sent to a server — so there are no upload waits, no size limits from us, and nothing is ever stored or logged.

Frequently asked questions

Is my token sent anywhere?
No. Decoding and verification happen entirely in your browser. Your token and secret never leave your device — important, since tokens are credentials.
Can it verify the signature?
Yes, for HMAC (HS256/384/512) tokens when you supply the secret. RS/ES signatures are decoded and displayed but verification requires the public key.
Why does it say my token is expired?
The exp claim is a Unix timestamp. The decoder compares it to the current time and flags tokens whose exp is in the past or whose nbf is in the future.
Is my data sent to a server?
No. Everything runs locally in your browser using JavaScript and WebAssembly. Your input never leaves your device, nothing is uploaded, and nothing is logged or stored.