Decode & Inspect Any JSON Web Token

Paste a JWT below to split it into its three segments, Base64URL-decode the header and payload into readable JSON, and audit every registered claim — including live expiry checks against your clock. Nothing is transmitted; all decoding happens locally in your browser.

Format: header.payload.signature — three Base64URL segments joined by dots.

Segments

Waiting for a token…

Header

Payload

Registered Claims

ClaimValueInterpretation
No claims decoded yet.

Signature (not verified)

This tool decodes structure only. Signature verification requires the signing secret or public key and is intentionally not performed client-side to avoid handling your keys.

How the decoder works

A JSON Web Token is three Base64URL-encoded strings separated by dots: header.payload.signature. This inspector splits your input on the dot character and processes each segment independently. The header and payload are decoded, while the signature is left as an opaque string because verifying it would require your secret key.

Base64URL differs from standard Base64: it replaces + with -, / with _, and strips trailing = padding. The tool reverses this by substituting the characters back, re-adding padding until the length is a multiple of four (pad = (4 - len % 4) % 4), then running the browser's atob(). Decoded bytes are passed through a UTF-8-aware step (decodeURIComponent(escape(...))) so multi-byte characters in claims survive intact, then parsed with JSON.parse.

The interesting work is the claim audit. JWT timestamps use NumericDate — seconds since the Unix epoch (1970-01-01 UTC), not milliseconds. For each of exp (expiration), nbf (not before), and iat (issued at) the value is multiplied by 1000 and rendered as a UTC and local time. The token is flagged expired when now >= exp, and not yet valid when now < nbf, where now is your device clock in seconds. The countdown shows exp - now broken into days, hours, minutes, and seconds so you can see exactly how much lifetime a token has left.

Registered claims iss, sub, aud, and jti are surfaced with plain-language descriptions, and the alg and typ fields from the header tell you the signing algorithm and token type. Everything recomputes on every keystroke, so paste, edit, and watch the analysis update instantly and privately.