CodersVibe

JWT Decoder

Paste a JWT and instantly see the decoded header, payload, and expiry timestamps. Everything happens client-side — your token never leaves the browser.

Decoding happens entirely in your browser — the token is never sent to our server.

A JSON Web Token (JWT) is just three base64url-encoded segments separated by dots: header.payload.signature. This tool splits a token apart, decodes the header and payload back into readable JSON, and tells you whether the token has expired — all without sending the token to any server.

How to use the decoder

  1. Paste your JWT into the input box. The decoder runs automatically as you type.

  2. Read the Header to see which algorithm was used (typically HS256 or RS256) and the token type.

  3. Read the Payload to see the claims — common ones include sub (subject), iss (issuer), aud (audience), iat (issued at), nbf (not before), and exp (expiry).

  4. If the payload contains an exp claim, the tool computes whether the token is currently valid or expired and shows it in UTC.

What this tool does NOT do

Decoding a JWT is not the same as verifying it. The signature segment is shown opaque because verifying it requires the secret (for HMAC) or the public key (for RSA / ECDSA) that signed the token. If you need to verify a token, do it server-side with the appropriate library — never trust an unverified JWT in production code.

Privacy

The whole decoding pipeline runs in your browser via the standard atob API and a UTF-8 text decoder. No part of the token is sent to our server, logged, or stored. You can safely paste tokens from internal staging environments to inspect their contents.

← Back to Encryption Tools