No. Decoding is just Base64URL decoding in your browser — neither the token nor its contents leave your device.

Does it verify the signature?

No, this tool is inspection-only. Use the JWT signature verify tool for that.

What happens with malformed tokens?

You get a precise error: not three parts, invalid Base64URL, broken JSON, etc.

Why does it say expired?

It compares exp against your device clock. Watch out for clock skew vs. the issuing server.

Back to Developer

JWT decode — inspect header & payload

Paste a JWT and break it down into Header / Payload / Signature. Numeric claims like exp / iat / nbf are translated into human-readable timestamps. No signature verification — purely for inspection. Runs entirely in your browser.

developerJWTdecode

How to use

Paste a JWT into the input — the three dot-separated parts (header / payload / signature) are decoded immediately. Numeric unix-time claims (exp / iat / nbf / auth_time) are translated to readable timestamps, plus a badge that says whether the token is still valid. A Copy button copies each section's JSON. The Sample button drops in an example JWT.

FAQ

Is the JWT uploaded?: No. Decoding is just Base64URL decoding in your browser — neither the token nor its contents leave your device.
Does it verify the signature?: No, this tool is inspection-only. Use the JWT signature verify tool for that.
What happens with malformed tokens?: You get a precise error: not three parts, invalid Base64URL, broken JSON, etc.
Why does it say expired?: It compares exp against your device clock. Watch out for clock skew vs. the issuing server.

Related tools

JWT Encode (sign) — HMAC / RSA / ECDSA via Web Crypto

Generate (sign) a JWT (JSON Web Token) entirely in your browser using the Web Crypto API. Supports HS256 / HS384 / HS512 (HMAC), RS256 / RS384 / RS512 (RSASSA-PKCS1-v1_5), PS256 / PS384 / PS512 (RSA-PSS), and ES256 / ES384 / ES512 (ECDSA P-256/P-384/P-521). Provide Header / Payload as JSON (with optional auto-fill for `exp` / `iat` / `nbf`), and a key — a string for HMAC, or a PKCS#8 PEM / JWK for asymmetric. Output is the standard `header.payload.signature` JWT which can be pasted straight into jwt-decode / jwt-verify. Secrets and payloads stay in your browser.

developerJWTsecuritygenerate

JWT signature verify — HMAC / RSA / ECDSA

Verify a JWT signature using WebCrypto — supports HS / RS / PS / ES with SHA-256/384/512. Paste an HMAC secret for HS*, or an SPKI PEM / JWK public key for RSA / ECDSA. exp / nbf are checked alongside the signature. Nothing leaves your browser.

developerJWTsecurity

Base64 encode / decode — URL-safe variant supported

Convert between plain text and Base64. Encode with an optional URL-safe variant; decoding accepts URL-safe (- _, no padding) automatically. UTF-8 safe and runs entirely in your browser.

developerencodedecode

HTTP Status Code Lookup

Search HTTP status codes from 100 to 511 by code number, English reason phrase, or description. Filter by class (1xx informational / 2xx success / 3xx redirect / 4xx client error / 5xx server error). Instantly look up what 404 or 502 means. Pure static data — runs entirely in your browser.

developerextract