PixConvert

JWT Decoder

Paste a JWT token to instantly decode and inspect its header, payload, and signature — entirely in your browser.

JWT Token

Why Use PixConvert JWT Decoder

Zero-risk token inspection. Your tokens never leave your device.

Instant Decode

Header and payload decoded the moment you paste. No button required.

Zero Network Risk

JWT decoding is pure client-side base64url parsing. Tokens never leave your browser.

Expiry Detection

Automatically detects exp, iat, and nbf claims and shows human-readable timestamps with expired/active status.

Algorithm Display

Shows the signing algorithm (RS256, HS256, ES384, etc.) from the header.

Formatted JSON

Payload displayed as pretty-printed JSON for easy reading and copying.

Copy Claims

Copy the full payload JSON with one click to paste into test fixtures or debugging sessions.

When You Need a JWT Decoder

Debugging auth flows is faster when you can see token contents instantly.

API Debugging

Inspect Bearer tokens from Authorization headers to understand what claims your API receives.

  • Decode access tokens
  • Check user roles and permissions
  • Verify expiry times

OAuth & OIDC Development

Decode ID tokens and access tokens during OAuth 2.0 and OpenID Connect integration.

  • Inspect id_token claims
  • Verify sub and email fields
  • Check token expiry and nbf

Security Auditing

Review JWT algorithm and claims as part of a security assessment — client-side so no token exposure.

  • Detect weak algorithms (none, HS256)
  • Check claim scope
  • Inspect token lifetime

How to Decode a JWT Token

1

Paste your JWT token into the input field. The decoder splits it at dots and base64url-decodes each part.

2

Header and payload appear as formatted JSON. Standard claims (exp, iat, sub) are highlighted with human-readable labels.

3

Inspect the signature segment and detect expired tokens at a glance — all decoding runs locally, never on our servers.

Explore More Tools

Discover other free tools that work great alongside this one

utility

Base64 Encoder

Encode and decode Base64 strings

Try it
utility

JSON Formatter

Format, validate, and minify JSON instantly

Try it
utility

Hash Generator

Generate MD5, SHA-1, SHA-256 hashes

Try it
utility

URL Encoder

Encode and decode URL components

Try it
utility

Password Generator

Generate strong, random passwords

Try it
utility

UUID Generator

Generate v4 UUIDs and ULIDs

Try it

Frequently Asked Questions

JWT decoding explained.

Is it safe to paste a JWT token here?

The header and payload sections of a JWT are base64url-encoded, not encrypted — they're readable by anyone who has the token. Decoding them here is equivalent to decoding them in your own code. The secret key used for signature verification is never decoded or needed. However, treat JWTs like passwords — don't paste production tokens into untrusted tools.

Does this verify the JWT signature?

No. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA), which you should never share with a third-party tool. This decoder only reads the header and payload (the first two segments), which are public by design.

What is the exp claim?

The exp (expiration) claim is a Unix timestamp (seconds since epoch) after which the token is invalid. This tool converts it to a human-readable date and shows whether the token is currently active or expired.

What's the difference between access_token and id_token?

In OAuth 2.0/OIDC: access_token authorizes API calls and is opaque or JWT. id_token is always a JWT and contains identity claims (sub, email, name). Both can be decoded here.

Why does the signature look like random characters?

The signature is a cryptographic hash of the header and payload, signed with the issuer's secret or private key. It's binary data encoded as base64url — it's not meant to be human-readable. Its purpose is verification, not inspection.