Is it safe to paste my JWT into this decoder?

Yes — all decoding happens locally in your browser. The token is never sent to any server, logged, or stored.

Why is my JWT showing as expired?

JWTs contain an exp claim. If it's in the past, your app should refresh the token by calling your auth server's refresh endpoint.

Does this verify the signature?

No — verification requires the secret or public key. This tool decodes the structure and claims only. Always verify JWTs server-side with a trusted library.

🪪

JWT Decoder

Paste a JSON Web Token to instantly decode its header, payload claims, and inspect expiry times. Everything runs client-side — your token never leaves your browser.

JSON Web Token

How to use

Paste a JWT from your Authorization header, cookie, or API response into the input box.
Review the colour-coded header, payload, and signature panels — claims are also broken out into a friendly table.
Check the exp badge to see whether the token is still valid, and copy any section to your clipboard.

FAQ

With this tool, yes — decoding is entirely client-side. The token never leaves the browser. Avoid online decoders that POST your token to a server.

No. Verification needs the secret or public key. This tool focuses on inspecting the header and claims — always verify on your server with a trusted library.

The exp claim is a Unix timestamp. If it's in the past, your app should refresh the token using your auth server's refresh endpoint.