Confirming whether a token is expired
If exp is in the past, requests can fail even when the server logic is correct. Decoding lets you confirm the expiration and focus on refresh or issuance flow.
JWT Decoder
Decode JWT header and payload instantly. No verification, no server upload. Works in your browser.
JWTs often look like opaque strings, but troubleshooting authentication usually means checking header and payload claims quickly. This tool helps you inspect exp, iat, nbf, scopes, and user - related values without sending the token to a server.
How to use
Paste the JWT, then review header and payload claims such as exp/iat/nbf, roles, and audience.
- Paste the full JWT token into the input area.
- Review the decoded header and payload JSON.
- Inspect standard claims such as exp, iat, and nbf.
- Copy the decoded JSON or claim summary if needed.
Why this tool is useful
JWTs are widely used for authentication and authorization, but the raw token string is difficult to reason about. When requests fail, you often need to check expiration (`exp`), issued - at (`iat`), audience, issuer, and role/scope claims to understand whether the issue is a token problem or a server - side rule.
Decoding the header and payload into readable JSON helps you debug with evidence instead of assumptions. It is important to remember that decoding is not the same as verifying a signature.
What this tool helps with
Fast inspection helps you narrow down the failure mode: expired token, missing claims, wrong environment, or incorrect roles. This reduces time spent chasing unrelated server logic.
Decoded claims are also easier to compare across environments (dev/staging/production) when you need to verify that issuance settings are consistent.
Examples
Checking roles/scopes when authorization fails
A “forbidden” response often comes from missing role/scope claims. Inspecting the payload helps you verify whether the token includes the expected permissions.
Recommended for
Recommended if you: - debug login/session issues involving JWTs - verify claim values like exp, aud, iss, role, or scope - compare tokens across environments - want quick visibility into token structure without manual decoding
Privacy and processing
Decoding happens locally in your browser. Your token is never sent to our servers.
Frequently Asked Questions
Does this verify JWT signatures?
No. This tool only decodes header and payload data. Signature verification requires the correct secret or public key.
Is my token uploaded to a server?
No. Decoding runs entirely in your browser.
Why is my JWT invalid?
A JWT must contain three dot - separated parts, and the header and payload must decode into valid JSON.
What are exp, iat, and nbf?
They are standard JWT claims. exp is expiration time, iat is issued - at time, and nbf is not - before time.
Can I decode encrypted JWTs?
No. Encrypted JWTs require decryption keys and are not readable through simple decoding.
Why do I see strange characters?
The token may not contain UTF - 8 JSON, or it may not actually be a JWT payload.
Related Tools
Encode or decode URLs and query strings instantly. Handle special characters safely in URLs.
Convert JSON to YAML or YAML to JSON instantly. Runs in your browser with no upload.
Calculate D - Day, days between two dates, workdays (exclude weekends), and contract periods instantly. Runs in your browser (no uploads).
Generate random UUIDs (v4) and GUIDs instantly. Create unique identifiers for databases, APIs, and applications.