Breezy Tools

JWT Decoder

Decode and inspect JWT tokens — view header, payload, and expiration. This tool does not verify signatures.

How to Use JWT Decoder

  1. 1

    Paste your JWT

    Paste a JSON Web Token into the input field. The tool expects the standard three-part format: header.payload.signature.

  2. 2

    View the decoded header

    The header section shows the signing algorithm (e.g., HS256, RS256) and token type.

  3. 3

    Inspect the payload

    The payload section displays all claims. Timestamps like iat and exp are shown in both Unix and human-readable format.

  4. 4

    Check expiration status

    The tool automatically indicates whether the token is still valid or has expired based on the exp claim.

Key Features

Instant Decoding

The token is decoded as soon as you paste it — no submit button needed.

Human-Readable Timestamps

Unix timestamps in iat, exp, and nbf claims are automatically converted to readable dates and times.

Expiration Status

Instantly see whether a token is currently valid or expired, with a clear visual indicator.

Header & Payload Separation

Header and payload are displayed in separate, formatted sections for easy inspection.

Signature Display

The raw signature portion is shown so you can identify the token's three parts.

Common Use Cases

  • Debugging Authentication

    Decode JWTs from your app's auth flow to verify that claims, roles, and permissions are set correctly.

  • Inspecting Third-Party Tokens

    Examine tokens issued by OAuth providers (Google, GitHub, Auth0) to understand what data they include.

  • Checking Token Expiration

    Quickly determine if a JWT has expired when troubleshooting 401 errors or session timeout issues.

Frequently Asked Questions

Does this tool verify the JWT signature?

No. This tool decodes and displays the header and payload but does not verify the cryptographic signature. Signature verification requires the signing secret or public key, which should be done server-side.

Is it safe to paste my JWT here?

Yes. All decoding happens locally in your browser — your token is never sent to any server. However, avoid sharing JWTs publicly as they may contain sensitive claims.

What JWT algorithms are supported?

The decoder works with any JWT regardless of the signing algorithm (HS256, RS256, ES256, etc.) because it only decodes the Base64-encoded header and payload — it does not perform signature verification.

Why does my token show as expired?

The tool compares the exp (expiration) claim to your device's current time. If the token was issued for a short-lived session or your clock is out of sync, it may appear expired.