Paste a JSON Web Token below. The header and payload are decoded in your browser, expiry claims are shown
in human time, and common red flags (expired, alg: none, missing exp) are surfaced.
Tokens are never uploaded.
| Claim | Value | Meaning |
|---|
Times are converted from Unix seconds to your local timezone. JWT signature verification is not done here — this tool decodes, it does not validate cryptographically.
| Segment | Format | Typical contents |
|---|---|---|
| header | Base64URL(JSON) | alg, typ, optional kid |
| payload | Base64URL(JSON) | Claims: iss, sub, aud, exp, iat, nbf, jti, plus app data |
| signature | Base64URL(bytes) | HMAC or RSA/ECDSA/EdDSA signature over header.payload |
Does this verify the signature?
No. Verification needs the issuer's secret (HS256) or public key (RS256/ES256/EdDSA). Those should never be pasted into a public tool. Use this page to inspect; verify on the server that issued the token.
Is my token uploaded?
No. The token is split on dots, each segment is Base64URL-decoded via TextDecoder, and the
result is JSON.parsed — all in your browser. No network calls are made.
What's wrong with alg: none?
A none JWT has no signature. Several historical library bugs accepted these as valid, letting
attackers forge tokens. Production verifiers should reject alg: none unless the application
explicitly chose unsigned tokens.
My token won't decode — why?
Common causes: extra whitespace or "Bearer " prefix (the tool strips both), only two segments (encrypted
JWE has five — this tool handles signed JWS only), or the payload was not JSON (some systems use
cty: application/cwt or similar).