Paste a JSON Web Token to decode its header, payload, and check its expiry. Everything runs in your browser — your token never leaves your device.
🔒 Runs entirely in your browser — token never sent to any server
Paste JWT Token
Header
Payload
Registered Claims
When to use this
🐛
Debug auth failuresIf a login or API call is rejected, paste the token here to check if it's expired, missing a claim, or targeting the wrong audience.
⏱️
Check token expirySee exactly when the token expires — or when it was issued — without writing any code. Useful during development and testing.
👤
Read user claimsInspect what user data is embedded — user ID, roles, email, permissions — as returned by your auth provider.
🔒
Verify the algorithmCheck the alg field in the header. Tokens using none or weak algorithms are a security risk.
💡 JWTs are not encrypted — only signed. Anyone can read the payload. Never put passwords or secrets inside a JWT.