Free tool

JWT Decoder

Decode a JWT's header and payload and check its expiry — nothing leaves your browser.

JWT

This only decodes the token — it does not verify the signature. Never trust these claims without validating the token server-side.

A JWT (JSON Web Token) is three Base64url-encoded parts separated by dots: a header, a payload of claims, and a signature. The header and payload are just encoded, not encrypted — anyone holding the token can read them, which is exactly what this tool does, locally.

The signature is what actually proves the token is legitimate, and this tool does not check it — that requires the issuer's secret or public key, which no client-side tool should ever ask you for. Treat a decoded payload as “what the token claims,” not as “what's been verified.”

How to use it

  1. 01Paste a JWT.
  2. 02Read the decoded header and payload as formatted JSON.
  3. 03Check the expiry line to see if the token has already expired.

Frequently asked questions

Is the token sent anywhere?

No — it's split and Base64url-decoded entirely in your browser. Nothing is transmitted, which matters, since JWTs often carry session or identity claims.

Why doesn't this verify the signature?

Verifying a signature requires the issuer's secret (for HMAC algorithms) or public key (for RSA/ECDSA) — secrets that should never be pasted into a random web tool. Signature verification belongs on your server, with the actual key.

Can I trust the claims in the payload?

Only after the signature has been verified by whoever is supposed to trust the token — until then, the payload is just what the token claims about itself, which anyone could have crafted. Never make an authorization decision based on an unverified JWT.

Related tools

This is what Purgify automates.

Connect your cloud accounts and Purgify finds duplicates and reclaimable space like this — across all of them, on a schedule.

Available very soon

Want early access? Write to us at [email protected]