Free JWT Decoder
Paste a JSON Web Token to decode the header, payload, and signature. Shows algorithm, expiry, and current validity. 100% client-side — your tokens are never transmitted anywhere.
Frequently asked questions
Are my JWT tokens sent to your server?
No. Decoding happens entirely in your browser using built-in base64 functions. Nothing is uploaded, logged, or transmitted. It is safe to paste production tokens.
Can this verify the signature?
This decoder shows the signature but does not cryptographically verify it. Signature verification requires the secret (for HMAC) or public key (for RSA/ECDSA), which you should never paste into a public tool. Verify on your server or with a CLI like jwt.io with your secret stored locally.
How do I check if a token is expired?
The decoder converts the 'exp' claim from Unix timestamp to a human-readable date and shows whether the token is currently expired. Also shows 'iat' (issued at) and 'nbf' (not before).
What's the difference between JWT and a session cookie?
Session cookies store an opaque ID; the server looks up state. JWTs are self-contained — the user data lives inside the token, signed by the server. JWTs are stateless and scalable but cannot be revoked without extra infrastructure like a deny-list.