Loading the interactive tool… It runs in your browser — if it doesn't appear, enable JavaScript.
Paste a JWT and read what's inside: the header, every claim in the payload, the time claims (iat/exp/nbf) translated to readable dates, and a clear expired-or-valid verdict. Decoding runs entirely in your browser — which matters more here than for any other tool, because a JWT is a live credential and pasting one into a site that ships it to a server is handing over a key.
Frequently asked questions
Is decoding the same as verifying?
No — and the difference is security-critical. Anyone can decode a JWT (the payload is just Base64URL); only the signature, checked against the issuer's key, proves it's genuine and untampered. This tool reads tokens for debugging; your backend must verify them.
Why is my token rejected by the API but decodes fine here?
Check exp first — expired tokens decode perfectly. Then audience (aud) and issuer (iss) claims matching what the API expects, and finally whether you're sending it in the right header format (Authorization: Bearer <token>).
Are JWTs encrypted?
The common kind (JWS) is signed, not encrypted — anyone holding the token reads everything in it. That's why secrets never belong in JWT claims. Encrypted JWTs (JWE) exist but are rare; this tool decodes the signed kind.