JWT URL decoder
JWTs are Base64URL — they break naive Base64 decoders. This tool decodes the header and payload, shows exp/iat/nbf as human-readable timestamps, and tells you whether the token is expired.
Header
Payload
Signature (raw Base64URL)
Time fields
How to use
- Paste a JWT — either bare (three
xxx.yyy.zzzchunks) or copied straight from a URL like?token=.... - The Header and Payload panels appear instantly with pretty-printed JSON.
- Time fields (
exp,iat,nbf,auth_time) are shown as both UTC ISO strings and relative ("expired 4 minutes ago", "valid for another 18 hours"). - The Signature chunk is shown as Base64URL — we don't verify it (verification needs the secret).
Common time claims
iat— issued-at (when the token was created).exp— expiration (when the token stops being valid).nbf— not-before (the token isn't valid until this time).auth_time— when the user originally authenticated (often used for step-up auth decisions).
FAQ
Why doesn't this verify the signature?
Verification requires the symmetric secret or the issuer's public key. Pasting that into a public web tool is not a good idea — verify with a real library or your auth provider's debugger instead.
Is decoding sensitive?
The JWT contents are visible to anyone who has the token — Base64URL is not encryption. Don't paste real production tokens into any web tool unless you trust it. This tool decodes locally in your browser, but the principle holds.
What if it says "Not a JWT"?
JWTs have exactly three dot-separated chunks. If your token has two, it's a JWS / JWE in compact form; if one, it's just Base64 of some JSON.
What if exp is missing?
The token may be intentionally long-lived (e.g. an API key disguised as a JWT). The tool just won't show an expiration status.