JWT Decoder
Decode JWT tokens.
Note: this tool does not validate the cryptographic signature (secret/public key required). Use the "Validate Claims" option to check exp/nbf/iat.
Related tools
Learn more
What does the JWT Decoder do?
Decodes a JWT (JSON Web Token) and displays the header, payload (claims), and signature part in a clear and organized way. Useful for debugging, token analysis, and verification of temporal claims such as exp, nbf, and iat. All processing is done locally in the browser, ensuring privacy.
Quick tips
- JWT is often sent as
Authorization: Bearer <token>— paste only the token part (without "Bearer"). - The tool does not send your data to servers — everything is processed locally.
- To validate the cryptographic signature you need the secret key (HMAC algorithms) or public key (RSA/EC).
- Use "Validate Claims" to automatically check if the token has expired (exp), is not yet valid (nbf), or was issued in the future (iat).
How to use
- Paste the JWT in the input box (you can include or not the "Bearer" prefix).
- Click Decode to see header, payload, and signature.
- Use Validate Claims to check temporal validity (exp/nbf/iat).
- Choose the output format: Pretty JSON, Compact, or Parts (header.payload.signature).
- Copy or download the result as JSON if needed.
Frequently asked questions
Does the tool validate the JWT signature?
No. The tool only decodes the token and verifies time claims (exp, nbf, iat). To validate the cryptographic signature it is necessary to provide the secret key (HMAC) or public key (RSA/EC) according to the algorithm used.
Is data sent to the server?
No. All processing is done locally in your browser — no data is sent to the server, ensuring complete privacy.
What are exp, nbf, and iat claims?
They are standard temporal claims in JWT: exp (expiration) indicates when the token expires, nbf (not before) indicates when the token becomes valid, and iat (issued at) indicates when the token was issued.