siutil. JWT Decoder
processed in your browser · never uploaded

Paste JWT

Header 

 
 
 
 
Payload
  
 
     
     
     
     
     
    Signature · not verified
     
     
     
    Signature is shown as-is and is not verified (verification needs the secret/public key).
     
     
     
       
      
    A quick way to read what's inside a JWT (JSON Web Token) when you're debugging an API or chasing down an auth issue: paste it in and see the decoded contents. It splits the three base64url parts of `header.payload.signature` and pretty-prints the header and payload as indented JSON. The header's `alg` (HS256, RS256, etc.) and `typ` are shown next to the heading, and time claims in the payload — `exp` (expiry), `iat` (issued-at), `nbf` (not-before) and `auth_time`, stored as Unix seconds — are converted into readable dates in your local timezone. If `exp` is in the past it's flagged as "expired", and if `nbf` is in the future it's flagged as "not valid yet", so you can tell at a glance whether a token is still good. A leading `Bearer ` prefix is stripped automatically, so you can paste a value copied straight from an Authorization header. Because JWTs often carry access tokens, sessions and personal data (emails, user IDs), this tool does all of its decoding entirely inside your browser — your token is never uploaded, stored, or sent to a server. Note that this tool does **not verify the signature**: verification needs the issuer's secret key (HS256) or public key (RS256/ES256), and handling those in a web page would be unsafe. Use decoding to inspect a token's contents, and verify on the server with a proper library.
    How to use
    1. Paste your JWT into the input box on the left (use "Sample" to try it with an example). A leading "Bearer " prefix is fine.
    2. The header and payload appear instantly on the right as formatted JSON, with exp, iat and nbf claims expanded into readable dates.
    3. Expired or not-yet-valid tokens are flagged with a badge. Click "Copy" on a panel to grab its JSON. Nothing you paste is sent anywhere.
    FAQ
    Is the JWT I paste uploaded anywhere?
    No. Decoding runs entirely in your browser with JavaScript. Your token is never uploaded, stored, or sent to a server, so it's safe to paste JWTs that contain access tokens, sessions or other sensitive values.
    Does it verify the signature?
    No. This tool only decodes (displays) the header and payload; it does not verify the signature. Verification requires the issuer's secret key (HS256) or public key (RS256/ES256), and entering those into a web page would be unsafe. Use this tool to inspect contents, and verify on the server with a proper library.
    Why are exp and iat shown as dates?
    JWT time claims — exp (expiry), iat (issued-at), nbf (not-before) and auth_time — are stored as Unix seconds (seconds since 1970). The tool detects these automatically and converts them into readable dates in your local timezone. It also flags exp in the past as "expired" and nbf in the future as "not valid yet".
    I get "Not a JWT" or "Could not decode".
    A JWT is a dot-separated, base64url string like header.payload.signature. If the dots are missing, a part is absent, or a segment isn't valid base64url, it can't be decoded. Check that you copied the whole token without extra spaces or line breaks.
    Can it read encrypted tokens (JWE)?
    No. This tool decodes the base64url header and payload of signed tokens (JWS — the usual JWT). A JWE has an encrypted payload that can't be read without the key, so it's out of scope.