Does this tool verify the JWT signature?

No. Verifying a signature requires the signing secret or public key, which we intentionally never collect. This tool decodes — it does not authenticate.

Is it safe to paste a JWT here?

Decoding happens entirely in your browser; nothing is uploaded. That said, treat any production token like a password — once decoded, anyone reading your screen can see the contents.

What do iss, sub, aud, exp, iat mean?

These are standard JWT claims: iss (issuer), sub (subject — usually the user ID), aud (intended audience), exp (expiration time), iat (issued-at time). The decoder annotates them automatically.

Why does my decoded payload look encrypted?

If the payload looks like another base64-encoded blob, you likely have a JWE (JSON Web Encryption) instead of a JWT. JWE payloads are encrypted and can't be read without the recipient's private key.

Developer Tools

JWT Decoder

Decode and inspect JSON Web Tokens. Annotates standard claims and expiry. No upload.

JWT

Files processed in your browser

Your files never leave your device. No upload, no servers.

About JWT Decoder

JWT Decoder splits a JSON Web Token into its three parts — header, payload, and signature — and decodes the base64url-encoded JSON so you can read what's inside. It annotates the standard registered claims (iss, sub, aud, exp, nbf, iat, jti) with human-readable labels and converts the timestamp claims into local dates. Expired and not-yet-active tokens are flagged at a glance. The tool runs entirely in your browser. The token is never uploaded, logged, or stored, which makes it safe for tokens scraped from internal logs, customer reports, or production debugging sessions. Note that this tool does not verify the JWT signature. JWTs are encoded, not encrypted — anyone with the token can read its contents. Verifying authenticity requires the signing secret or public key, which intentionally lives on your server, not in a public web tool. If you need to verify a token, do it server-side with a library that validates the signature against your key. Common uses include checking the expiration of an access token that's mysteriously failing, confirming what scopes or roles are baked into a token, debugging the difference between two tokens issued to the same user, and reading the audience or issuer claim when integrating with a third-party identity provider.

How JWT Decoder works

Paste a JWT (the three-part 'header.payload.signature' string).
The tool splits on the dots and base64url-decodes the header and payload.
Each part is parsed as JSON and pretty-printed with proper indentation.
Standard claims (iss, sub, aud, exp, nbf, iat, jti) are annotated and timestamps are converted to local time.
If exp is in the past or nbf is in the future, the tool flags the token as expired or not yet valid.

When to use JWT Decoder

Debug a 401 response by checking whether the access token's exp claim has passed.
Confirm what scopes, roles, or permissions are encoded in a token before granting access.
Compare two tokens for the same user to see what changed (issuer, audience, scopes).
Inspect the audience (aud) claim when integrating with a third-party IdP like Auth0, Okta, or Cognito.
Verify the issuer (iss) when migrating between identity providers.
Read custom claims your auth server adds (tenant_id, organization_id, feature_flags).

Why choose Utilix JWT Decoder

Decoding is local — production tokens never touch a third-party server, unlike pasting into jwt.io.
Standard claims are annotated automatically, so you don't have to remember what 'aud' or 'nbf' means.
Expiration is flagged visually instead of buried as a Unix timestamp.
Free, no signup, and no cookie wall.
We deliberately do not verify signatures — verification belongs server-side with your real keys.