Explore All Tools
DEVELOPER TOOLS

JWT Decoder

Decode and inspect JWT header and payload. Time claims (exp, iat, nbf) annotated as ISO dates. Decoding only — no signature verification.

Private Live
JWT Token
Paste a JWT above to decode

01Why this JWT tool

Read tokens, safely.

Four reasons developers and QA folks open this tab instead of jwt.io.

  • 01

    Header, payload, signature — all three

    Paste a token and see each segment decoded into readable JSON. No more eyeballing dot-separated base64 strings.

  • 02

    Time claims rendered as real dates

    iat, exp, nbf — automatically translated to ISO timestamps and a relative 'expires in X' note, so you don't have to do epoch math.

  • 03

    Decodes as you paste

    Drop a token in and the panels light up. Useful when you're cycling tokens during a debug session.

  • 04

    Decoding only — never verified or stored

    The token stays in your tab. We don't verify signatures, contact the issuer, or log anything. JWTs often carry user data — that data stays yours.

02How it works

Paste, read, copy.

  1. Token
    1eyJhbGciOiJIUzI1NiIs…
    2.eyJzdWIiOiIxMjM0NTY…
    3.SflKxwRJSMeKKF2QT4f…

    Step 1Paste a JWT

    Drop in a token from your auth header, cookie, or logs. The three dot-separated segments are all the tool needs.

  2. View
    HeaderPayloadSignature

    Step 2Read the panels

    Header on top, payload below, signature at the bottom. Time-based claims show absolute and relative time so you can see expiry at a glance.

  3. Copied
    Claimsub: 1234567890JSON · per-field copy

    Step 3Copy a claim or share the decoded view

    Hit Copy on any field to grab the value. Useful when filing a bug, opening a ticket, or pairing with someone on Slack.

03Use cases

Where decoding helps.

Debugging auth, auditing scopes, and confirming claims — the everyday JWT jobs.

  • Debug a 401 from your API

    Token came back rejected. Decode it, check exp, check the issuer, check the scopes — usually the answer is right there in the payload.

    Bearer token → expired or wrong audience

  • Inspect the user info encoded in a session

    Frontend wants to know who is signed in. Decode the access token, read the sub or email claim.

    Cookie → user id, roles, plan

  • Confirm a token is actually expired

    Logged-out flow firing unexpectedly? Decode and read exp as a real date — sometimes it's the clock skew, not the logic.

    exp 1731552000 → 2024-11-13 21:20 UTC

  • Audit OAuth scopes after login

    OAuth provider gave you a token. Decode it to confirm you actually got the scopes you asked for before the app starts making calls.

    scope claim → read:profile read:email

  • Check a token in a server log

    Logs have masked tokens you can copy. Decode the captured value to see exactly what the backend received.

    Server log line → decoded claims

  • Confirm a refresh-token rotation

    After a refresh you should get a token with a new jti and a later iat. Decode both, eyeball the change.

    Old token vs new token

04Quick tips

Decode with care.

Four rules to avoid the recurring JWT footguns.

  • 01

    Decoding is not verification

    Anyone can read a JWT — that's the point. To trust the contents, your server must check the signature with the issuer's public key. This tool only decodes.

  • 02

    exp and iat are seconds, not milliseconds

    Multiply by 1000 if you're comparing to JavaScript Date.now(). The tool handles the conversion for you in the display.

  • 03

    Don't put secrets in a JWT

    Claims are base64-encoded, not encrypted. Treat the payload as public — anyone who has the token can read it.

  • 04

    Audience and issuer matter

    When a token from one service is presented to another, aud and iss are how the receiver decides whether to trust it. Always check both in your verification code.

05Loved by

Backend, frontend, and QA.

  • Debugging a 401 from a third-party API. Pasted the token, saw the audience was wrong, fixed the config. Three minutes start to finish.
    Elena M.
    Backend developer
  • Reading the role claim out of our session token to set up a feature flag. Decode here, copy the value, done.
    Daria V.
    Frontend developer
  • Sharing decoded payloads in bug tickets makes auth issues so much easier to triage. The dev knows exactly what the API received.
    Tomás P.
    QA engineer

06Questions

JWTs, plainly answered.

Questions people ask before pasting a real token. Missing one? hello@wirelogs.com.

01What is a JWT?

A JSON Web Token is a compact, URL-safe string used to carry authenticated claims between services. It has three base64-encoded parts — header, payload, signature — joined by dots.

02Does this tool verify the signature?

No. Verifying a signature requires the issuer's signing key, which we never see. This tool decodes only. Production code should always verify before trusting.

03Are my tokens sent anywhere?

No. Decoding happens entirely in your browser. The tool doesn't transmit, log, or store the token. Useful for inspecting real session tokens without leaking them to a third party.

04What do iat, exp, nbf mean?

iat is issued-at, exp is expiry, nbf is not-before. All three are seconds since the Unix epoch. The tool renders them as ISO timestamps next to the raw values.

05Can I decode encrypted tokens (JWE)?

Not without the decryption key. JWE tokens look similar but have five segments instead of three. This tool focuses on JWS — the signed-only variant that makes up the vast majority of real-world JWTs.

06Is it free?

Yes. No sign-up, no usage cap, no watermark.

07Related tools

Other auth utilities.

JWTs live next to Base64, hashes, and the other transformation tools.

Ready when you are

See inside the token.

Paste your JWT above and read the claims. Nothing is transmitted, signed, or stored.

Open the decoderBrowse all tools
  • 3panels decoded
  • Localprivate
  • $0now and always