JWT Decoder
Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.
exp (expiration)
iat (issued at)
nbf (not before)
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste a JWT and click “Decode”. Check alg/kid first, then inspect payload claims and exp/iat/nbf times.
Notes (this tool)
- No signature verification. Verify authenticity with JWT Verifier or server-side validation.
- Readable output does not imply trust. Use only verified tokens for authorization decisions.
About this page
What does this tool do?
Paste a JWT to pretty-print header/payload and make time claims like exp/iat/nbf readable.
This page is decode-only. It does not verify signatures.
It is useful for debugging and troubleshooting (inspecting claims, checking expiration, and understanding token contents).
Typical use cases
- Inspect claims like sub/aud/iss from a JWT in logs
- View exp/iat/nbf in UTC and local time
- Quickly check if a bearer token is a JWT
Debugging workflow (recommended)
- Check header fields alg/kid first
- Inspect iss/aud/sub/exp/nbf/iat in payload
- If timing is suspicious, continue with JWT TTL/Clock Skew tools
- Use JWT Verifier when authenticity must be confirmed
Recommendations (practical)
- Never trust decoded data alone; pair with signature verification
- Pin expected aud/iss values and validate explicitly
- Mask personal data in payload before sharing tokens
What this tool does
- Pretty-print header/payload JSON
- Show exp (expiration) as date/time
- Show iat / nbf as date/time
- Decode Base64url
Common pitfalls
- Missing risky settings such as alg=none
- Mixing up exp units (seconds vs milliseconds)
- Assuming readability implies trustworthiness
Time claims (exp / iat / nbf)
exp/iat/nbf are typically Unix time (seconds). This page shows both ISO time and your local time.
- exp: expiration time
- iat: issued at
- nbf: not before
Operational notes
- Result output alone is not enough for trust decisions. Always validate signatures and issuer.
- Clock skew and environment differences affect reproducibility, so record test time and settings.
Referenced specs
- RFC 7519 (JWT)
- RFC 8725 (JWT Best Current Practices)
- Base64url (RFC 7515 / RFC 4648)
FAQ
Does it verify signatures?
No. Signature verification is not performed. Verify on the server if needed.
What if exp is missing?
Some JWTs omit exp. In that case, the date display is blank.
Is it safe to trust what I see in header/payload?
Since signatures are not verified, what you see is not trusted. Make authorization decisions only with verified tokens.
Notes (security)
- This page is for display only. No signature verification/tamper detection.
- Be careful with tokens containing sensitive data (screen sharing, pasting into logs, etc.).
References
Page-specific case studies
Use this page for fast JWT payload visibility before signature verification.
- Validate exp/nbf/iat interpretation for units and time zones.
- Check iss, aud, and sub against expected values.
- Inspect alg and kid before moving to verifier tools.
Page-specific implementation checklist
- Never make authorization decisions from decoded output alone.
- Mask personal claims before sharing logs.
- When timing issues appear, check server clock sync too.
- Always perform trust verification in JWT Verifier.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT 401/403 Diagnostic Playbook — Separate 401 and 403 using Authorization, WWW-Authenticate, claims, and signature checks
- JWT Decoder vs Verifier — Clarify decode vs signature verification roles and connect to 401/403 troubleshooting flow
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- Authorization Inspect — Parse Authorization header formats
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmJmIjoxNTE2MjM5MDIyfQ.signature