Monu Tools

JWT Decoder

Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.

How to use the JWT Decoder

  1. 01

    Paste a JWT in the form header.payload.signature.

  2. 02

    Read the decoded header and payload as formatted JSON.

  3. 03

    Check the expiry and issued times, and whether the token has expired.

What a JWT decoder shows you

A JSON Web Token has three parts separated by dots: a Base64URL-encoded header, a Base64URL-encoded payload, and a signature. This decoder splits and decodes the first two parts instantly in your browser, so you can read what a token actually contains.

The most common use is inspecting a token an API returned: who issued it (iss), when it expires (exp), what permissions it carries (scope or roles), and whether it has already expired.

How the decoding works

The tool takes the header and payload segments and decodes their Base64URL contents back into readable JSON. Nothing is sent anywhere: the split and decode happen locally the moment you paste a token.

Reading expiry and timestamps

The expiry is shown in readable local time, not a raw Unix timestamp, so you can see at a glance whether the token is still valid. The same applies to other time claims like iat and nbf, which become dates you can actually interpret.

Decoding is not verifying

This tool decodes and displays, it does not verify the signature against a secret key. Anyone can read a JWT payload without a key, because only the signature is protected, not the contents.

For signature verification you need the signing secret or public key, which should never be entered into a browser-based tool. Do not paste secrets here.

Privacy

The token never leaves your device. All decoding runs in your browser, so nothing you paste is uploaded or stored.

Frequently asked questions

Does it verify the signature?

No. It decodes and displays the header and payload. Verifying the signature needs the signing secret or public key, which you should not paste into any web tool.

What is the difference between decoding and verifying?

Decoding reads the Base64url header and payload, which are not encrypted. Verifying recomputes the signature with the key to prove the token is authentic and unmodified.

Is it safe to paste my token here?

Decoding happens entirely in your browser, so the token is not uploaded. Still, treat live tokens as secrets and avoid pasting them on shared computers.

What do exp, iat and nbf mean?

They are standard claims: iat is issued-at, nbf is not-valid-before, and exp is the expiry time. The decoder converts these Unix timestamps to readable local time.

Can I decode an expired token?

Yes. Expiry does not change how a token is decoded, so you can inspect an expired token's claims and see exactly when it lapsed.

Why is my payload readable without a key?

A JWT is signed, not encrypted. The payload is only Base64url-encoded, so anyone can read it. Never put secrets in a JWT payload.

Sources

Embed this tool

Add this tool to your own website. Copy the snippet below; it stays up to date automatically.

<iframe src="https://monu.tools/embed/en/jwt-decoder" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>

Learn more

Related tools