Peregrine falcon logoPeregrine Dev

JWT Decoder — Decode JSON Web Tokens Online

Paste a JWT token to decode the header, payload, and signature instantly. Check token expiration in real time.

Base64 decode payload?

Decode the JWT payload separately

How to jwt decoder

  1. 1.Paste your JWT token into the text area
  2. 2.View the decoded header and payload as formatted JSON
  3. 3.Check the expiration status if the token contains an exp claim
  4. 4.Click copy buttons to copy individual sections

About This Tool

A JSON Web Token (JWT) is a compact, URL-safe format used to represent claims between two parties. JWTs are widely used for authentication, session management, and information exchange in modern web applications. Each token consists of three Base64URL-encoded parts separated by dots: header, payload, and signature.

This JWT decoder splits the token and decodes the header and payload sections, displaying the JSON contents with proper formatting. It color-codes the three sections so you can easily identify which part is which. If the payload contains an exp (expiration) claim, the tool shows whether the token has expired.

Note: this tool only decodes the token. It does not verify the signature, which would require the signing secret or public key. For security-sensitive verification, use your backend JWT library. All decoding happens locally in your browser and no token data is transmitted.

Frequently Asked Questions

No. Signature verification requires the signing secret (for HMAC) or the public key (for RSA/EC). This tool only decodes and displays the header and payload. Never rely on decoded data without server-side verification.

Yes. All decoding happens locally in your browser using JavaScript. Your token is never sent to any server. However, avoid sharing tokens in general as they may grant access to resources.

The tool displays all claims present in the payload, including standard claims like iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before), as well as any custom claims.

The exp claim is a Unix timestamp representing when the token expires. If the current time is past that timestamp, the tool marks it as expired. Short-lived tokens (e.g., 15 minutes) are common in OAuth flows.

Related Tools

Base64 Encode/DecodeHash GeneratorJSON FormatterURL Encode/Decode