⚡ Developer · Client-side · No data sent to server

JWT Decoder

Paste a JWT to read its header and payload as formatted JSON, with exp, iat, and nbf shown as readable dates. Everything runs in your browser, and the token is never sent anywhere. Decoding does not verify the signature.

Try an example
JSON Web Token
Waiting for a token... Copied
100% private. This tool splits and base64url-decodes the token entirely in your browser. Nothing is uploaded or logged. Decoding reads a token; it does not verify the signature.

About the JWT Decoder

The JWT Decoder splits a JSON Web Token into its three parts, base64url-decodes the header and payload, and pretty-prints both as readable JSON. It also turns the standard time claims (exp, iat, nbf) into human-readable dates. It is built for developers and WordPress integrators who work with auth tokens from APIs, login flows, and the WP REST API. Decoding runs entirely in your browser, so your token is never sent anywhere. Note that decoding reads a token; it does not verify the signature.

How it works

  1. Paste a JWT in the format header.payload.signature into the input box.
  2. The tool splits the token on dots and base64url-decodes the header and payload.
  3. Read the formatted header and payload JSON in the two labeled boxes; the exp, iat, and nbf claims also appear as readable UTC dates.
  4. Review the raw signature shown below. The tool does not check it, so a decoded token is not a verified token.

Features

  • Splits and base64url-decodes the header and payload in one step.
  • Pretty-prints both parts as syntax-highlighted JSON.
  • Shows exp, iat, and nbf as readable UTC dates with expired and not-yet-valid flags.
  • Displays the raw signature without verifying it, and states this clearly.
  • Inline error message for malformed tokens, with one-click copy of each decoded part.

Frequently asked questions

Is my token sent anywhere?

No. The token is split and decoded entirely in your browser. Nothing is uploaded, stored, or logged.

Does this verify the signature?

No. This tool decodes the header and payload so you can read them. It does not check the signature, so a token that decodes here is not proven to be authentic or untampered. Verify the signature on your server with the secret or public key.

What do exp, iat, and nbf mean?

They are standard JWT time claims stored as Unix timestamps. exp is the expiration time, iat is the issued-at time, and nbf is the not-before time. The tool shows each one as a readable UTC date and flags whether the token is expired or not yet valid.

Why do I get an error?

A JWT must have exactly three parts separated by dots, and the first two parts must be base64url-encoded JSON. Common causes of errors are a missing part, extra whitespace, or a copied token that is cut off. The error message names the part that failed to decode.

Is it safe to paste a real token here?

Decoding happens locally in your browser, so the token does not leave your device. Still, a JWT can contain personal data in its payload, so use your own judgment. Avoid pasting production tokens on a shared or untrusted computer.

Related developer tools

JSON Formatter & Validator Beautify, minify & validate JSON instantly. Base64 Encode / Decode Encode text to Base64 or decode it back, instantly. URL Encode / Decode Percent-encode or decode URLs and query strings. UUID Generator Generate random v4 UUIDs in bulk. Unix Timestamp Converter Convert Unix timestamps to human dates and back. HTML Entity Encode / Decode Encode special characters to HTML entities or decode them back.