Loading…
Loading…
JWT decoder
Paste a JSON Web Token and instantly inspect its header, payload claims, issued-at timestamp, and expiration — all decoded in the browser without sending your token to a server.
Last reviewed
June 23, 2026
When an API returns 401 Unauthorized, paste the JWT from your request to confirm the token has not expired, the audience (aud) claim matches the API endpoint, and the issuer (iss) is what the server expects.
JWT tokens contain three Base64URL-encoded sections separated by dots. The decoder splits the token, decodes each section, and parses the JSON. The signature section is displayed but not cryptographically verified.
The token is decoded entirely in the browser. However, avoid pasting production tokens from live sessions or tokens that grant access to sensitive resources — especially in shared environments.
The tool decodes and displays claims but does not verify the signature against a public key or secret. Never trust a decoded token for authentication or authorization decisions without proper server-side signature verification.