Decode JSON Web Tokens instantly. See the header algorithm, payload claims, expiry status, and signature. Everything stays in your browser.
How to Decode a JWT Token
Inspect JWT headers, payloads, and expiry with The IT Hustle's free JWT Debugger.
1
Paste your JWTPaste the full token (the three Base64URL sections separated by dots) into the input area.
2
Read the decoded sectionsThe header, payload, and signature are split into color-coded panels with the JSON pretty-printed.
3
Check the expiry statusIf the payload contains exp or iat claims, the tool converts them to readable dates and shows a live valid/EXPIRED status.
4
Copy any sectionEach panel has its own Copy button, so you can grab just the payload claims or the header for debugging.
Frequently Asked Questions
The token is decoded entirely in your browser and never sent to any server. That said, treat production tokens like passwords — prefer expired or development tokens when debugging.
No. Verifying a signature requires the secret key or public key it was signed with. The debugger decodes and inspects the token's contents and flags structural problems, but it cannot prove the token is authentic.
Standard JWTs are not encrypted — they're Base64URL-encoded, which anyone can decode. Never put secrets in a JWT payload; the signature only proves the token wasn't tampered with.
iat (issued at) records when the token was created and exp (expiration) records when it stops being valid, both as Unix timestamps. The debugger converts them to readable dates and checks exp against the current time every second.
The most common causes are a truncated paste (missing characters), extra whitespace or quotes around the token, or a token that isn't actually a JWT. A valid JWT has exactly three Base64URL sections separated by dots.