Authentication
JWT Decoder & Debugger
Decode a JWT and inspect its claims, expiry, and risks.
About this tool
Decode and inspect any JSON Web Token in your browser. See the header, payload, and claims, convert expiry timestamps to readable dates, and catch risks like alg:none and never-expiring tokens.
Related reading
Frequently asked questions
- Is my token sent to a server?
- No. The token is decoded locally in your browser and never transmitted. Even so, treat any real JWT as a live credential - if you paste a production token anywhere, rotate it afterward.
- Does this verify the signature?
- No, and that is by design. Verifying a JWT's signature requires the secret or public key, which should never leave your server. This tool decodes and inspects the header and payload so you can debug claims and expiry; it does not confirm the token is authentic.
- What risks does it flag?
- It warns on alg:none (an unsigned token, which is a critical misconfiguration), a missing exp claim (a token that never expires), tokens that are already expired, and long-lived tokens whose lifetime is unusually large.