Does this tool verify JWT signatures?

No. Signature checks require the secret or public key held by your authentication service. Use this tool for fast decode and inspection before verifying signatures in your backend.

Why do JWT segments look like Base64?

JWT headers and payloads are Base64URL encoded JSON objects. We normalize the segments and parse them back into readable JSON instantly.

How do I check if a token is expired?

The exp claim is shown both as a raw Unix timestamp and a formatted UTC time. Compare it against the current time or run additional checks on your server.

JWT Decoder

Decode JSON Web Tokens to inspect headers, payload claims, and signature data without leaving your browser.

Support UtilsverseLoved this tool? Treat the builders to a coffee and help us launch the next utility faster.

Buy us a coffee

Paste JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Algorithm: HS256(JWT)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature verification is not performed here—validate it with your signing secret or public key in your backend.

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Claims overview

sub
1234567890
name
John Doe
iat
1516239022
UTC: Thu, 18 Jan 2018 01:30:22 GMT

Tip: JWT segments are Base64URL encoded. Run them individually through the Base64 Encode & Decode tool if you need to inspect them outside the full token.

Understand tokens before they reach production

Paste an access token from your auth provider and immediately inspect the header, claims, and signature. We highlight the signing algorithm, reveal each claim, and convert common timestamps (iat, exp, nbf) into human-readable UTC times so you can debug authentication flows quickly.

Use it while setting up OAuth, troubleshooting SSO sessions, or confirming which scopes are embedded in a token before granting access to APIs.

Quick how-to

Paste a JWT in header.payload.signature format.
Review header metadata, including algorithm and token type.
Inspect payload claims, copy individual values, and check expiry timestamps.
Validate the signature on your server with the correct secret or key.

Pro tips & related tools

Need to drill into a single segment? Open the Base64 Encode & Decode tool and paste the header or payload directly.
Validate downstream JSON structures with the JSON Formatter & Validator before handing them to other services.
Keep API queries safe by pairing with the URL Encode & Decode utility if you embed JWTs in redirects.

Example troubleshooting flow

Copy a failing token from a 401 response, decode it here, confirm the aud and scope claims, then cross-check them with your API gateway policy. If the exp timestamp shows the token is stale, refresh it before retrying the request.

FAQ highlights

Is it safe to paste production tokens? Yes. Everything stays in your browser tab and clears when you refresh. No network calls are made.

Can I edit claims? Not here. Re-issue the token from your auth provider, or generate a sample token with the right claims for testing through their SDKs.