JWT Decoder - Inspect Header, Payload and Expiration

Split a JWT into its header, payload, and signature parts, Base64URL-decode them, and display them formatted as JSON. Expired tokens (past exp) are highlighted in red. Signature verification is not performed.

How to Use

  1. Paste your JWT string into the text area
  2. The header and payload are automatically decoded and displayed
  3. exp, iat, and nbf claims are converted to human-readable datetimes
  4. Expired tokens are highlighted in red
  5. Copy the header or payload individually using the copy buttons

Usage Examples

API debugging:
Quickly inspect the contents of a JWT received in an API response.
Token expiration check:
Verify whether a session is still valid by reading the exp claim.
Color-coded parts:
Header (red), payload (purple), and signature (blue) are color-coded for easy identification.

FAQ

Can I verify the signature?
No. This tool only decodes. Use jwt.io or similar for signature verification.
I see "Invalid JWT format"
A JWT must have exactly three parts separated by dots: header.payload.signature.
Is data sent to a server?
No. All processing is done in the browser. Your tokens are never transmitted externally.
The exp claim is shown in red
That JWT has expired. A new token needs to be issued.
What is the difference between Base64URL and Base64?
Base64URL replaces + with - and / with _ to be URL-safe. JWTs use Base64URL encoding.

Related Tools

Base64Free online Base64 encoder & decoder. Encode or decode Base64 strings instantly. Supports UTF-8, URL-safe b64 mode (RFC 4648) — all in your browser.Hash GeneratorGenerate MD5, SHA-256, SHA-512, SHA-1, SHA-384, bcrypt and CRC32 hashes online. Free hash generator for text checksums and password hashing — runs in your browser.URL Encode / DecodeFree online URL encoder & decoder (urlencode/urldecode). Also supports HTML entity escape, JSON, XML, JavaScript and SQL encoding — all in your browser.

Update History

Last Updated: 2026-02-20

  • 2026-02-20 Initial release