/ developer & network toolbox
← all tools

$ jwt

runs locally

JWT Decoder

Decode a JSON Web Token's header and payload and read its exp / iat claims. Signature not verified.

jwt — invoker.tools

Decoded locally — the signature is not verified and nothing is sent anywhere.

About the JWT Decoder

The JWT decoder splits a JSON Web Token into its header and payload, decodes the base64url segments, and shows the JSON contents. It also translates the standard time claims, exp (expiration), iat (issued at), and nbf (not before), into human-readable dates so you can see at a glance when a token is valid.

Use it to debug authentication, inspect what claims a token carries, or check whether a token has expired. Note that this tool decodes only and does not verify the signature, so it confirms contents, not authenticity. Everything is processed locally in your browser, so tokens are never sent to a server.

How to use it

  1. Paste a JWT (the header.payload.signature string) into the input.
  2. View the decoded header and payload JSON.
  3. Read the exp, iat, and nbf claims shown as human-readable times.
  4. Check the timestamps to see whether the token is currently valid.

Examples

  • Paste an access token to see its payload claims like sub, role, and scope.
  • Check a token's exp claim rendered as a readable date to confirm it has expired.
  • Inspect the header to see the signing algorithm (alg) and token type (typ).
  • Read the iat claim to find out exactly when a token was issued.

Frequently asked questions

What is a JWT?

A JSON Web Token is a compact, URL-safe token with three base64url parts, a header, a payload of claims, and a signature, commonly used for authentication and authorization.

Does this verify the token's signature?

No. This tool only decodes the header and payload. It does not verify the signature, so it confirms contents but not authenticity.

How are exp, iat, and nbf shown?

These standard time claims are converted from Unix timestamps into human-readable dates so you can quickly see when a token was issued, becomes valid, and expires.

Is my token sent anywhere?

No. Decoding happens entirely in your browser, so your token and its claims are never uploaded to a server.

What is the difference between decoding and verifying a JWT?

Decoding reveals the readable contents of a token, while verifying checks the signature against a key to prove the token is authentic and untampered. This tool only decodes.

Can I tell if a token has expired?

Yes. Compare the human-readable exp time to the current time. If exp is in the past, the token has expired, though only signature verification proves it is genuine.

More encode / decode tools

Base64JSON Formatter