JWT decoder
Decode JSON Web Tokens and inspect their header, payload, and claims — all in your browser, never sent to a server.
Handytool decodes the header and payload only. Signatures must be verified server-side with the issuer's key.
About the JWT decoder
Handytool's JWT decoder parses any JSON Web Token into its header and payload, highlights the standard claims (iss, sub, aud, iat, exp, nbf), and shows whether the token has already expired. Because decoding is purely local, you can paste real access tokens and session tokens without them leaving your device. Useful when debugging auth flows, OAuth integrations, or third-party APIs that hand back opaque-looking JWTs.
JWT decoder features
- 01
Header, payload, and claims at a glance
The decoder splits your JWT into its three segments, pretty-prints the header and payload as JSON, and shows standard claims — algorithm, subject, issuer, audience, issued-at, expiry — in a compact summary above the raw output.
- 02
Expiry and timing checks
The exp claim is translated to an ISO timestamp and tagged as valid or expired relative to your current clock. Same for nbf (not-before) and iat (issued-at). No more manual Unix-to-Date conversions.
- 03
Decoder only — never uploaded
Tokens are decoded in your browser using native atob. Nothing is ever sent to a server. Safe for pasting production JWTs, API access tokens, or session cookies while debugging.
JWT decoder FAQ
- What is a JWT?
- A JSON Web Token is a compact, URL-safe token format made of three Base64URL-encoded segments separated by dots: a header (algorithm and type), a payload (the claims), and a signature. JWTs are widely used for authentication, authorization, and short-lived API access.
- Does this decoder verify the signature?
- No. The decoder only parses the header and payload to show what's inside. Signature verification requires the issuer's secret or public key, which must stay on your server — never paste it into a web tool. Verify signatures server-side in your app.
- Is it safe to paste a real JWT here?
- Decoding happens entirely in your browser — the token is never transmitted. However, JWTs are not encrypted (anyone with the token can read the claims), so treat them like passwords: don't share them, don't commit them, and rotate them if they leak.
- Why is the signature shown but not verified?
- The signature is displayed so you can compare it with what your server produces during debugging. Actual verification requires the signing key (HMAC secret or RSA/EC public key), which the decoder has no access to and shouldn't.
- What does "exp" mean?
- exp is the expiration claim — a Unix timestamp after which the token should be rejected. The decoder converts it to an ISO timestamp and shows a green tag if it's still in the future, or a red tag if the token has already expired.
Related tools
Utility →- Live
Base64 encoder & decoder
Encode text to Base64 and decode Base64 back to text, including URL-safe Base64 — all in your browser.
UtilityRuns locallyOpen - Live
URL encoder & decoder
Percent-encode text for URLs or decode percent-encoded strings back to readable text — instantly, privately.
UtilityRuns locallyOpen - Live
SHA & hash generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes of any text, in hex or Base64 — all in your browser.
UtilityRuns locallyOpen
Explore other tools
All tools →- Live
PDF to JPG
Convert each page of a PDF into a sharp JPG, PNG, or WebP image right in your browser — no upload, no quality loss.
PDFRuns locallyOpen - Live
Remove background
Erase the background of a photo using an in-browser AI model — no upload, your images stay on your device.
ImageRuns locallyOpen - Live
Trim Video
Cut the start or end of a video with frame-level precision.
VideoOpen - Live
Trim audio
Cut a section of an audio file.
AudioRuns locallyOpen - Live
Markdown to HTML
Convert Markdown into clean HTML right in your browser.
DocumentRuns locallyOpen