Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
How to use the JWT Decoder
Paste a JWT in the form header.payload.signature.
Read the decoded header and payload as formatted JSON.
Check the expiry and issued times, and whether the token has expired.
A JSON Web Token has three parts separated by dots: a Base64URL-encoded header, a Base64URL-encoded payload, and a signature. This decoder splits and decodes the first two parts instantly in your browser, so you can read what a token actually contains.
The most common use is inspecting a token an API returned: who issued it (iss), when it expires (exp), what permissions it carries (scope or roles), and whether it has already expired.
The tool takes the header and payload segments and decodes their Base64URL contents back into readable JSON. Nothing is sent anywhere: the split and decode happen locally the moment you paste a token.
The expiry is shown in readable local time, not a raw Unix timestamp, so you can see at a glance whether the token is still valid. The same applies to other time claims like iat and nbf, which become dates you can actually interpret.
This tool decodes and displays, it does not verify the signature against a secret key. Anyone can read a JWT payload without a key, because only the signature is protected, not the contents.
For signature verification you need the signing secret or public key, which should never be entered into a browser-based tool. Do not paste secrets here.
The token never leaves your device. All decoding runs in your browser, so nothing you paste is uploaded or stored.
Frequently asked questions
No. It decodes and displays the header and payload. Verifying the signature needs the signing secret or public key, which you should not paste into any web tool.
Decoding reads the Base64url header and payload, which are not encrypted. Verifying recomputes the signature with the key to prove the token is authentic and unmodified.
Decoding happens entirely in your browser, so the token is not uploaded. Still, treat live tokens as secrets and avoid pasting them on shared computers.
They are standard claims: iat is issued-at, nbf is not-valid-before, and exp is the expiry time. The decoder converts these Unix timestamps to readable local time.
Yes. Expiry does not change how a token is decoded, so you can inspect an expired token's claims and see exactly when it lapsed.
A JWT is signed, not encrypted. The payload is only Base64url-encoded, so anyone can read it. Never put secrets in a JWT payload.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/jwt-decoder" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Learn more
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
Related tools
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.
Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.