Free · Nothing uploads · No logging

Decode JWTs without the server round-trip.

Paste a token — the header and payload decode in your browser. Signatures stay server-side where they belong. Safe for production tokens.

JWT

Nothing uploads

Valid window

  • iat: 2024-12-24T14:20:00.000Z (508d ago)
  • exp: 2286-11-20T17:46:39.000Z (95151d from now)

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "user-1234",
  "name": "Jane Doe",
  "iat": 1735050000,
  "exp": 9999999999
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signatures can't be verified client-side without the secret. This tool only decodes — it never tries to send your token anywhere to verify it.

How it works

Four steps

  1. 1

    Paste a JWT

    Any JWT — access token, id token, refresh — three dot-separated base64url parts.

  2. 2

    Read the header + payload

    Both get pretty-printed as JSON with a one-click copy.

  3. 3

    Check the expiry

    iat / nbf / exp claims show absolute timestamps and human-readable relative times.

  4. 4

    Never worry about leakage

    The tool never sends your token anywhere. No backend, no logging, no analytics on token data.

Questions

Frequently asked

Does this tool verify the signature?+

No — and that's intentional. Signature verification requires the secret or public key, and passing a secret through a third-party website defeats the point. Use your JWT library server-side for verification; use this tool only to inspect claims.

Is it safe to paste a real production token?+

Safer than any hosted decoder. This page runs the decode entirely in your browser — there's no server call, no logging, no analytics event containing the token. That said: if it's a long-lived token, rotate it anyway as a habit.

Why 3 parts separated by dots?+

JWT format is header.payload.signature, each base64url-encoded. The first two are JSON objects; the third is a cryptographic signature over the first two.

What are iat, nbf, exp?+

Issued-at, not-before, and expiry — standard claims defined in RFC 7519. They're unix timestamps (seconds since epoch). nbf means the token shouldn't be accepted before that time; exp means it expires at that time.

More free tools

Keep building

Base64

Encode or decode base64, auto-detecting the direction. Plus an image-to-data-URI mode for inline assets.

JSON formatter

Pretty-print, minify, sort keys, validate — plus one-click TypeScript type inference.

— Shipping to the App Store?

Translating screenshots into every locale is what lokal was built for. Upload once, ship to every store.

Explore lokal