Back to tools

JWT Decoder

Decode a JSON Web Token in your browser. Read the header and payload as JSON, see claims as human-readable timestamps, and check expiry at a glance. Decode-only — the signature is never verified and nothing is uploaded.

decoded

Decoded in your browser. Signature is not verified.

HS256
Subject
1234567890
name
John Doe
Issued at
1516239022 · 2018-01-18T01:30:22Z

How It Works

  1. 1

    Paste the token

    The raw JWT or a full Bearer header.

  2. 2

    Read the header

    See the algorithm and token type.

  3. 3

    Inspect the payload

    Claims decoded to JSON, with readable dates.

  4. 4

    Check expiry

    An active/expired badge from the exp claim.

Use Cases

  • Debug auth failures

    Confirm which claims a token actually carries when a request is rejected.

  • Verify expiry

    Check exp and nbf to see whether a token is live right now.

  • Inspect scopes and roles

    Read the payload to confirm scopes, roles, or audience are set correctly.

  • Build API test fixtures

    Decode a sample token to model the claims your test doubles should return.

Frequently Asked Questions

It splits a JSON Web Token into its three parts and base64url-decodes the header and payload into readable JSON. Registered claims like exp, iat, and nbf are also shown as human-readable timestamps.
No. Decoding and verification are different. Verifying a signature requires the signing secret or public key, which should never be pasted into a web page. This tool decodes only — it shows you what a token contains, not whether it is trustworthy.
No. The token is decoded entirely in your browser with no network calls, no storage, and no logging. Even so, treat production tokens as secrets and prefer test tokens where you can.
If the payload has an `exp` claim, the tool compares it to the current time and shows an "active" or "expired" badge, plus the exact expiry timestamp.
Decoding is algorithm-agnostic — HS256, RS256, ES256, and others all decode the same way. The header's `alg` value is shown as a badge so you can see how the token was signed.
Yes. A leading "Bearer " prefix is stripped automatically, so you can paste the raw header value.

Done decoding? Now automate the auth flows behind that token.

Bug0's expert AI agents write end-to-end tests from plain English, auto-heal them when your UI changes, and run them on every deploy. A forward-deployed engineer verifies every result.

From $2,500/mo. Results in 7 days.

Go on vacation. Bug0 never sleeps. The AI tests every commit, every deploy, every schedule. Your forward-deployed engineer reviews every failure and files the bugs. Coverage holds while you're off the grid.

Go on vacation.
Bug0 never sleeps.

The AI tests every commit, every deploy, every schedule. Your forward-deployed engineer reviews every failure and files the bugs. Coverage holds while you're off the grid.