Tool Overview

This tool decodes a JSON Web Token and shows its header, payload, and signature. You paste a JWT and see the contents without running code.

JWTs are used for login and API auth. They are long strings with three parts separated by dots. Reading them by hand is hard because each part is encoded. This tool decodes the first two parts and shows the JSON so you can inspect claims and expiry.

It is for developers and support staff who need to see what is inside a token. You can use it with basic knowledge of JWTs; no keys or secrets are required.

Background and Concepts

A JWT has three parts: header, payload, and signature. Each part is base64url-encoded. The header usually has the algorithm and type. The payload has claims such as who issued the token, who it is for, and when it expires. The signature is used to verify the token with a secret or key; this tool does not verify the signature. A related operation involves encoding JSON Web Tokens as part of a similar workflow.

JWTs appear in browser storage, API responses, and logs. When you need to see the claims or check expiry, you must decode the first two parts. Doing that by hand means base64 decoding and JSON parsing, which is slow and error-prone. This tool does the decode and parse for you and shows the header and payload as readable JSON. It also checks the expiry claim (exp) against the current time and shows whether the token is expired or still valid.

The tool does not check the signature. It does not need your secret or key. So it cannot tell if the token was forged or tampered with. Use it to inspect and debug; do not rely on it alone for security.

Key Features

• Paste or type. You paste or type a JWT in the input box. You can include the word "Bearer" and a space at the start; the tool removes that and uses the rest. The token is decoded as you type. Maximum length is 10,000 characters so the page stays responsive.
• Three-part check. The tool expects exactly three parts separated by dots. If there are fewer or more, or a part is empty, it reports malformed or not a JWT and shows an error. So you quickly see if the input is a valid JWT shape.
• Header and payload decode. The first two parts are base64url-decoded and parsed as JSON. The tool shows the header and payload in separate sections with formatted JSON. If decode or parse fails, it reports an error (e.g. invalid header JSON). So you see the actual algorithm, type, and claims.
• Signature shown. The third part is the signature. The tool does not decode or verify it; it only displays it so you can copy it or compare. So you can inspect all three parts without any secret.
• Summary. When the token is valid, the tool shows a short summary: algorithm from the header, expiry status (valid or expired) from the exp claim, and if present issuer (iss) and subject (sub). So you get the main info at a glance.
• Expiry check. If the payload has an exp claim (number), the tool compares it to the current time and marks the token as expired or valid. It also shows the expiry date and a relative time (e.g. in 2 hours or 1 day ago). So you can see if the token is still in time.
• Copy. You can copy the raw token from the clipboard with a paste button, or copy the header JSON, payload JSON, or signature from the result. Clear clears the input and result.
• Optional explain. When the token is valid, you can request an explanation of the payload (e.g. what the claims mean). This is optional and may send the payload for analysis; do not use with sensitive tokens.

Common Use Cases

Debugging auth. Your app or API uses JWTs and something is wrong. Paste the token from storage or a response and see the header, payload, and expiry. Check the algorithm, issuer, subject, and exp to find misconfiguration or expired tokens. For adjacent tasks, encoding data in Base64 addresses a complementary step.

Support. A user reports a login or permission issue. They can copy the token (if your app exposes it safely); you paste it here and inspect claims and expiry without logging into their account.

Learning. You want to see how JWTs are structured. Paste a sample token and expand the header and payload to see typical claims like iss, sub, aud, exp, iat, nbf.

Logs and audits. You have a JWT in a log or export and need to see who it was for and when it expired. Decode it here and use the summary and payload. When working with related formats, checking your IP address can be a useful part of the process.

Testing. You generate test JWTs and want to confirm the payload and expiry without writing code. Paste and inspect.

How to Use This Tool (Step-by-Step)

1. Open the JWT decoder page.
2. Paste your JWT into the token input. You can paste from the clipboard using the paste button or type. The token can start with "Bearer " and a space; the tool will ignore that. Maximum length is 10,000 characters.
3. Look at the result. If the input is empty you see nothing. If it is not exactly three dot-separated parts you see an error (e.g. not a JWT or malformed). If decode or JSON parse fails you see an error (e.g. invalid payload JSON).
4. When the token is valid you see a summary: algorithm, expiry status (valid or expired), and if present issuer and subject. You also see the expiry date and relative time. Below that you see the header and payload as formatted JSON, and the signature as text.
5. Use the copy buttons next to header, payload, or signature to copy that part. Use paste from clipboard to fill the input from your clipboard. Use clear to remove the input and start over.
6. Optionally tap Explain to get a short explanation of the payload. This is only for valid tokens and may send the payload; do not use with sensitive data.

Calculations and Logic

The tool does not do signature verification or cryptography. It only decodes and formats.

The input is trimmed and any leading "Bearer " (case-insensitive) is removed. If the result is longer than 10,000 characters an error is returned. The string is split by dots. If there are not exactly three non-empty parts, the status is not a JWT or malformed and an error message is shown. Otherwise the first part is base64url-decoded (padding and character replacements applied), then decoded bytes are parsed as JSON; the same is done for the second part. If either parse fails or the result is not a JSON object, the status is malformed. The third part is kept as the signature string. If both header and payload are valid objects, the status is valid. The payload is then checked for an exp claim: if it is a number, it is compared to the current time in seconds; if it is in the past the expiry status is expired, otherwise valid. If there is no exp or it is not a number, the expiry status is no exp. Timestamps (e.g. exp) are shown as a formatted date and as a relative time (e.g. in 2 hours or 3 days ago) using the current time. The header, payload, and signature are displayed as described; no secret or key is used and the signature is not verified. In some workflows, looking up IP addresses is a relevant follow-up operation.

Tips, Limitations and Best Practices

No signature verification. The tool decodes and displays the token. It does not verify the signature. So it cannot tell if the token was signed correctly or tampered with. Use it for inspection and debugging; for security you must verify the signature in your app or server with the correct key.

Bearer prefix. If your token is shown as "Bearer eyJ..." you can paste it as-is; the tool strips "Bearer " and decodes the rest.

Expiry. The tool only checks the exp claim. It does not check nbf (not before) or iat (issued at) for validity; those are still visible in the payload JSON. Rely on your backend to enforce nbf and iat if needed. For related processing needs, generating color palettes handles a complementary task.

Privacy. The payload often contains user IDs, emails, or roles. Do not paste tokens that are sensitive or from production if you use the Explain feature; the payload may be sent for analysis.

Length. Very long tokens (over 10,000 characters) are rejected. Most JWTs are much shorter; if you hit the limit, check that you did not paste extra text.

Algorithm. The header is shown as-is. The tool does not validate the algorithm name or reject weak algorithms. Use the displayed algorithm to debug; enforce algorithm rules in your server.