Does this verify the JWT signature?

No. This tool only decodes — it never asks for or stores secrets. Use a server-side library to verify in production.

Is my token sent anywhere?

No. Decoding happens entirely in your browser. Tokens never leave your device.

Why does it warn about alg=none?

Tokens signed with alg=none are unauthenticated. They should never be accepted by production verifiers.

What about exp and nbf?

exp (expiry) and nbf (not before) are interpreted as Unix seconds. The status badge flags expired or not-yet-valid tokens automatically.

JWT Decoder — Free Online Developer Tool

Developer Tools

Base64 Encoder / Decoder

Encode any text to Base64 — or decode Base64 back to plain text — instantly, with optional URL-safe output. Works fully in your browser with UTF-8 support.

Developer Tools

UUID Generator

Generate cryptographically secure UUIDs (v4 random and v7 time-ordered) instantly — in your browser, with hyphens, casing, and braces formatting.

Security Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text — instantly, in your browser, with zero uploads.

Developer Tools

URL Encoder / Decoder

Percent-encode any text for safe use in URLs — or decode encoded strings back to plain text. UTF-8 safe, instant, and fully private.

Developer Tools

JSON Formatter & Validator

Pretty-print, minify, and validate JSON in your browser. Spot syntax errors with exact line and column numbers — no server, no upload.

Developer Tools

HTML Entity Encoder & Decoder

Encode and decode HTML entities — minimal, named, numeric, or all non-ASCII. Live preview, copy, swap, in your browser.

About JWT Decoder

A privacy-first JWT inspector. Paste any compact-serialization JWT to see the decoded header and payload as formatted JSON, plus a claims panel that flags expired (exp), not-yet-valid (nbf), and issued-at (iat) timestamps. Warnings highlight risky tokens (alg=none, empty signature). Verification is intentionally not performed — paste anywhere safely.

How to use

Paste a JWT (three Base64URL segments separated by dots).
Inspect the decoded header and payload JSON.
Check the status badge — Active, Expired, or Not yet valid.
Copy either segment with the per-section copy button.

FAQ

Frequently asked questions

Got questions? We’ve got answers. Here are some of the most common inquiries about JWT Decoder.

Related tools

About JWT Decoder

How to use

Frequently asked questions

Does this verify the JWT signature?

Is my token sent anywhere?

Why does it warn about alg=none?

What about exp and nbf?

Related tools

About JWT Decoder

How to use

Frequently asked questions

Does this verify the JWT signature?

Is my token sent anywhere?

Why does it warn about alg=none?

What about exp and nbf?