What is a JWT decoder and what does it show?

A JWT decoder reads a JSON Web Token and reveals its contents. This decoder pretty-prints the full header and payload and highlights the standard time claims exp, iat, and nbf as readable UTC dates with status badges.

How do I decode a JWT with the Bearer prefix?

Just paste the whole Authorization header value. The JWT Decoder automatically strips a leading 'Bearer ' prefix before decoding, so you don't need to trim it first.

Does the JWT Decoder verify the token signature?

No. It only decodes and displays the header, payload, and claims. It never verifies the signature, so decoding alone never proves a token is authentic.

Why does my token show as Not yet valid in the JWT Decoder?

It has an nbf (not before) claim with a time still in the future, so the token is not active yet. The badge updates once that time has passed.

Is my token sent anywhere when I use the JWT Decoder?

No. The JWT Decoder runs entirely in your browser and the token you paste never leaves your device, with no tracking and nothing uploaded to a server.

JWT Decoder

Decode JWT header & payload and inspect exp / iat (no verification).

Tokens are decoded locally in your browser and nothing is uploaded, but avoid pasting real production tokens or secrets into any online tool.

Need to create and sign a token? Try the JWT Signer.

About JWT Decoder

This jwt decoder splits any JSON Web Token into its header, payload, and signature segments and shows them as clean, readable JSON. Paste a token (with or without the "Bearer " prefix) and it decodes the base64url segments instantly, then surfaces the standard time claims — exp, iat, and nbf — as human-readable UTC dates with badges showing whether the token is expired, active, or not yet valid. It is built for backend developers, API engineers, and QA testers who need to debug auth headers, inspect token contents, or confirm an expiry without reaching for a server-side library. Use it as a quick jwt parser or token decoder online during local debugging. Decoding happens locally in your browser, so the token you paste never leaves your device and nothing is uploaded.

Features

Decodes the JWT header and payload into pretty-printed, syntax-highlighted JSON
Parses exp, iat, and nbf claims and renders them as readable UTC timestamps
Flags tokens as Expired, Valid, Active, or Not yet valid with colored badges
Accepts tokens with or without the leading Bearer prefix
Displays the raw signature segment separately for inspection
Warns clearly that decoding never verifies a token's signature or authenticity
Copy buttons for the decoded header and payload JSON, plus a Clear control

How to use the JWT Decoder

Paste your JWT into the JSON Web Token input box.
Read the decoded header and payload shown as formatted JSON.
Check the Claims section for issued, not-before, and expiry dates and status badges.
Use the Copy buttons to grab the header or payload JSON, or Clear to start over.

Example

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkphbmUiLCJpYXQiOjE1MTYyMzkwMjJ9.signature

Output

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:
{
  "sub": "1234",
  "name": "Jane",
  "iat": 1516239022
}

The decoder splits the token and renders the header and payload as JSON; iat shows as a readable date.

Common errors & troubleshooting

You see an error that the token needs at least two dot-separated segments. — A JWT must be header.payload.signature. Confirm you copied the whole token and that the dots were not stripped.
The decoder reports a segment is not valid base64url or not valid JSON. — Make sure no characters were dropped or URL-encoded in transit, and that you pasted the token itself rather than a surrounding object or quotes.
You expected verification but the tool says the signature is not checked. — This is a decoder, not a validator. It reads token contents only; use a signing or verification library to confirm authenticity.
A token shows as Expired even though it seems recent. — The exp claim is in UTC seconds and is compared against the current time. Check the displayed UTC date against your local clock and timezone.

Frequently asked questions

What is a JWT decoder and what does it show?: A JWT decoder reads a JSON Web Token and reveals its contents. This decoder pretty-prints the full header and payload and highlights the standard time claims exp, iat, and nbf as readable UTC dates with status badges.
How do I decode a JWT with the Bearer prefix?: Just paste the whole Authorization header value. The JWT Decoder automatically strips a leading 'Bearer ' prefix before decoding, so you don't need to trim it first.
Does the JWT Decoder verify the token signature?: No. It only decodes and displays the header, payload, and claims. It never verifies the signature, so decoding alone never proves a token is authentic.
Why does my token show as Not yet valid in the JWT Decoder?: It has an nbf (not before) claim with a time still in the future, so the token is not active yet. The badge updates once that time has passed.
Is my token sent anywhere when I use the JWT Decoder?: No. The JWT Decoder runs entirely in your browser and the token you paste never leaves your device, with no tracking and nothing uploaded to a server.

Related tools

JWT Signer — Create and sign a JWT (HS256/384/512) from a payload and secret — Web Crypto.
Base64 Encode / Decode — UTF-8 safe Base64 encoding and decoding.
Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
TOTP / 2FA Generator — Generate time-based one-time passwords (2FA codes) from a base32 secret.
Password Generator — Generate strong, random passwords with a strength meter (crypto-secure).
Unix Timestamp Converter — Convert between Unix timestamps and human dates (local + UTC).
URL Parser — Break a URL into its parts and list query parameters.
JSON Formatter — Beautify, minify and validate JSON with error locations.