JWT Decoder
Decode a JWT’s header and payload, read the claims, and check expiry — without the token leaving your browser.
JSON Web Tokens carry authentication state between services, and sooner or later you need to look inside one: why did the API return 401, which scopes did the identity provider grant, when does this session actually expire? Paste a token and the header and payload decode instantly, with the standard claims — iss, sub, aud, exp, iat, nbf — laid out in a table, timestamps turned into readable dates, and a live status showing whether the token is valid, expired, or not yet active.
JWTs are only base64url-encoded, not encrypted, so decoding needs no secret — but for the same reason, a token pasted into a random website is a credential leak. This decoder runs entirely in your browser: the token is never transmitted and the page makes no network requests with it. It decodes only — the signature is not verified.
How to decode a JWT
- 1
Paste the token — a “Bearer ” prefix is stripped automatically.
- 2
Read the decoded header and payload, and check the live expiry status chip.
- 3
Copy the payload JSON or any claim value you need.
Why use Nofolo’s jwt decoder?
Instant decode
Header and payload appear as pretty-printed JSON the moment you paste a token.
Claims explained
iss, sub, aud, exp, iat, and nbf in a table with human-readable local dates.
Live expiry status
A status chip — valid, expired, or not yet valid — recalculated every second against exp and nbf.
Pinpointed errors
A malformed token tells you which segment failed — header, payload, or structure — and why.
base64url + Unicode correct
Handles the JWT alphabet and multi-byte UTF-8 claim values without mangling.
Token stays local
Decoding is done by your browser. No logging, no transmission, no storage.
Frequently asked questions
Does this tool verify the JWT signature?
No — it decodes the header and payload only. Verifying the signature requires the issuer’s secret or public key and should happen server-side. Never treat a decoded token as trusted input.
Is it safe to paste a real token here?
The token is decoded locally in your browser and never transmitted — this page makes no network requests with it. Still, prefer expired or test tokens as a habit: any credential you paste anywhere is one you should be willing to rotate.
Why does my token show as expired?
The exp claim is a Unix timestamp in seconds. If it is earlier than the current time, the token is expired and APIs will reject it — refresh the session or re-authenticate to get a new one.
What do iss, sub, aud, iat, and nbf mean?
iss is who issued the token, sub is who it is about, aud is who it is intended for, iat is when it was issued, nbf is the time before which it must not be accepted, and exp is when it expires.
Why can’t a normal Base64 decoder read my JWT?
JWT segments use base64url — the - and _ characters instead of + and /, with padding removed — and there are three segments joined by dots. This decoder converts the alphabet and splits the segments for you.
Related tools
Base64 Encode / Decode
Encode text or files to Base64 — and decode back — UTF-8 safe, with a URL-safe option.
JSON Formatter
Format, validate, and minify JSON with instant error pinpointing.
Unix Timestamp Converter
Unix timestamps to readable dates and back — seconds or milliseconds, auto-detected.
Hash Generator
MD5, SHA-1, SHA-256, SHA-384, and SHA-512 for text or files — computed in your browser.