Paste a JSON Web Token to instantly read its header and payload and check the expiry, all decoded locally in your browser. The token is never sent anywhere.
How it works
- Paste your raw JWT string into the decoder box.
- The browser locally decodes the Base64Url payload and headers into readable JSON.
- Check the extracted `exp` timestamp to verify if the token is expired.
Frequently asked questions
Is the cryptographic signature verified here?
No. Verifying a signature mathematically requires your private secret key. This tool merely decodes the base64 claims for inspection.
Is it safe to paste a production JWT here?
Yes, decoding executes entirely in your browser Javascript, so the token is never transmitted. However, you should generally treat live tokens with extreme caution.
What does the exp claim represent?
It is a standard Unix timestamp indicating exactly when the token expires. The tool parses this and flags it for you visually.