JWT Decoder

Decode header and claims, sanity-check expiry and algorithm.

Runs entirely in your browser — the token is never transmitted anywhere. Verify with DevTools: zero network requests on decode.

How it works

A JWT is three Base64URL segments: header.payload.signature. This tool decodes the first two locally, pretty-prints the JSON, converts exp/iat/nbf timestamps to human-readable dates, and flags risky patterns — alg: none, expired tokens, and long-lived tokens. It does not verify the signature (that requires the key); a decoded token is not a validated token.

FAQ

Is it safe to paste a production token here?

The decode is fully client-side, so nothing is uploaded — but treat live tokens like passwords anyway: prefer expired or test tokens when you can.

Why is alg: none flagged?

Historic implementations accepted unsigned tokens when the header claimed none, letting attackers forge arbitrary claims. Any modern library should reject it; seeing it in the wild is a red flag.