Toolisk LogoToolisk
🔑

JWT Decoder

Paste a JSON Web Token to inspect its header, payload, and expiration — 100% client-side, no data leaves your browser.

🔒 Decoding only — your token never leaves the browser

JWT token

About this tool

A free, browser-based JWT decoder for developers. Paste any JSON Web Token (JWT) and see the decoded header, payload claims, and signature segment. Detects expired tokens and formats time-based claims (iat, exp, nbf) as readable dates.

🔍Decode header & payload instantly
⏱️Auto-format iat / exp / nbf claims
⚠️Visible expiration warning
🔒Runs entirely in your browser
📋One-click copy for each segment
📝Sample token included for quick demo

How to use it

Quick steps to get the most out of this utility.

  1. 1

    Paste your JWT

    Drop the token into the input — it should be three Base64URL segments joined by dots.

  2. 2

    Inspect the header

    Confirms the signing algorithm (alg) and token type (typ). HS256, RS256, ES256 are typical.

  3. 3

    Read the payload

    Standard claims (iss, sub, aud, exp, iat) plus any custom data the issuer added.

  4. 4

    Check expiration

    A green/red badge tells you if exp is in the future or past, with a relative time hint.

  5. 5

    Verify on the server

    Signature verification needs the issuer's key — copy the segments and validate in your backend.

When to use a JWT decoder

Decoding is the fastest way to debug authentication issues. If a request is being rejected as unauthorized, decoding the token tells you whether the user ID, scopes, audience, or expiration are what you expect — without waiting for backend logs.

Decoded ≠ verified

Anyone can decode a JWT — that's by design. Decoding only confirms what the token claims; it doesn't prove the issuer actually signed it. Always verify the signature server-side before trusting any claim.

Frequently asked questions

Is it safe to paste a JWT here?+

The decoder runs entirely in your browser — your token is never sent to any server. That said, never share a valid production token with anyone, and treat the JWT as a credential.

Why can't this verify the signature?+

Verification requires the issuer's secret (HMAC) or public key (RSA/EC) — that data is not in the token itself. Verification is always a server-side step using the JWKS endpoint or shared secret.

What's in the header vs the payload?+

The header declares the algorithm (alg) and token type (typ). The payload contains claims — standard ones like iss, sub, exp, iat plus any custom data the issuer added.

My JWT shows as expired but the app still accepts it. Why?+

Apps often allow a small clock-skew window (typically 30s to 5min). Confirmed expiry happens when both client and server agree the exp time has passed beyond that tolerance.

Keep exploring

More utilities and reading from Toolisk.