How do I decode a JWT token?

Paste the full JWT token (the long string with two dots separating three parts) into the input field. The tool instantly decodes the header (algorithm, type) and payload (claims, expiration, issuer) without needing any secret key.

Is it safe to paste my JWT token here?

Yes. The decoding happens entirely in your browser using JavaScript — no data is sent to any server. JWTs are encoded (Base64URL), not encrypted, so decoding doesn't require your secret key.

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims like user ID, expiration, roles), and the Signature (cryptographic proof the token hasn't been tampered with).

How do I check if my JWT is expired?

Paste your token and look at the exp (expiration) claim in the decoded payload. The tool shows both the raw Unix timestamp and a human-readable date, plus an indicator showing whether the token is currently expired.

Decodificador JWT

Decodifica tokens JWT: cabecera, payload y caducidad

JWT Token

Inspect JWT claims without touching production

Authentication bugs are often token bugs — a missing claim, a wrong audience, an expired exp, the wrong algorithm. Decoding a JWT in the browser shows you the header, payload, and expiry instantly without sending the token to any server, so you can debug login, authorization, and API access issues with confidence.

Use the decoder when you need to

Debug an expired or rejected token

Look at the exp, nbf, and iat claims to confirm whether the token is past its lifetime or not yet valid.

Verify the claims your backend expects

Check that the audience, issuer, scopes, and custom claims match what your authorization layer requires.

Audit a token before pasting it into a ticket

Decode the payload to confirm there's nothing sensitive inside before sharing the token in a bug report.

How to decode a JWT quickly

1
Paste the JWT (the long string with two dots) into the input field.
2
Inspect the decoded header, payload, and expiry status.
3
Copy specific claims or the full payload for use in a bug report or test.

Keep going

Decode arbitrary Base64

Use the encoder/decoder when the value isn't a JWT but is still Base64-encoded.

Test an authenticated request

Replay the request that produced the token to verify auth end-to-end.

Format the payload

Beautify the decoded payload before pasting it into another tool.

Validate the payload

Run a syntax check on custom claims if your decoder produced unusual output.

Common JWT debugging workflows

Diagnose 401 errors from an API

Decode the token to see if the expected claim is missing or the audience is wrong.

Check token expiry during integration

Confirm a freshly minted token's expiry matches your auth provider's configured lifetime.

Audit roles and scopes

Verify the user has the right scopes before troubleshooting authorization in your code.

Herramientas relacionadas

Base64 codificar / decodificar

Codifica y decodifica cadenas Base64 en el navegador

Formateador JSON

Embellece y formatea JSON con sangría configurable

Validador JSON

Valida JSON con mensajes de error detallados y números de línea

Visor JSON

Explora JSON con vistas de árbol, tabla y texto

Preguntas frecuentes

Pega el JWT completo (la cadena larga con dos puntos que separan tres partes) en el campo de entrada. La herramienta decodifica al instante el header (algoritmo, tipo) y el payload (claims, expiración, issuer) sin necesitar ninguna clave secreta.

Sí. La decodificación ocurre completamente en tu navegador con JavaScript: no se envían datos a ningún servidor. Además, los JWT están codificados (Base64URL), no cifrados, por lo que decodificarlos no requiere tu secret key.

Un JWT tiene tres partes codificadas en Base64URL y separadas por puntos: el Header (algoritmo y tipo de token), el Payload (claims como ID de usuario, expiración, roles) y la Signature (prueba criptográfica de que el token no ha sido manipulado).

Pega tu token y revisa el claim exp (expiration) en el payload decodificado. La herramienta muestra el timestamp Unix y una fecha legible, además de un indicador que señala si el token ya está expirado.