Base64 Encoder / Decoder
JWT header and payload segments are Base64url-encoded — encode or decode segments manually to cross-check the decoded output.
Open toolHome › Tools › Developer Tools › JWT Decoder
Paste any JSON Web Token to instantly read its header, payload claims, and expiry timestamps. No signing key needed. Free, nothing stored.
JWT Decoder is a free online tool for developers who need to inspect JSON Web Tokens during OAuth flows, API debugging, or session troubleshooting. Paste a JWT — the long dot-separated string you get from an Authorization header or cookie — and the tool instantly splits it into its three parts: a header (algorithm and token type), a payload (claims like user ID, expiry, and roles), and a signature. The header and payload are decoded from Base64url and formatted as readable JSON. Expiry fields (exp, iat, nbf) are converted to human-readable timestamps so you can immediately see whether a token has expired without mentally converting Unix timestamps. The signature segment is displayed as raw Base64url — it cannot be decoded without the signing key, and this tool never asks for one. Your token is decoded server-side purely to pretty-print the JSON, and no token content is stored or logged.
exp claim to confirm whether a JWT has expired or is still valid.HS256, RS256, etc.) and key ID (kid) from the header.iss and aud claims during an OIDC integration to ensure tokens are issued by the expected provider.No. Signature verification requires the signing key, which you should never paste into a third-party tool. This tool only decodes and displays the header and payload — the readable parts of a JWT that require no key.
No. Your pasted token is used only to split and decode the three segments for display. Nothing is stored, logged, or transmitted beyond the decode operation.
exp is the Unix timestamp (seconds since 1970-01-01 UTC) at which the token expires. This tool converts it to a readable date and time so you can immediately see whether the token is still valid.
A JSON Web Token (JWT) is a compact, Base64url-encoded string used to transmit claims between systems. It consists of three dot-separated parts: a header (algorithm and type), a payload (the claims), and a signature (tamper-proofing). JWTs are used in OAuth 2.0, OpenID Connect, and many API authentication systems.
Yes. The header and payload of a JWT are only Base64url-encoded, not encrypted. You can read them without any key. Only signature verification requires the key.
Also try
JWT header and payload segments are Base64url-encoded — encode or decode segments manually to cross-check the decoded output.
Open toolThe decoded JWT payload is a JSON object — format it for easy reading and validate it contains exactly the claims your application requires.
Open toolJWT exp, iat, and nbf claims are Unix epoch integers — paste one here to see the exact UTC expiry time and human-readable date.
Open toolTest regex patterns against decoded JWT payload claims — extract subject IDs, scope strings, or email patterns from the decoded JSON.
Open tool