JWT Decoder — JSON Web Token Parser
Paste a JWT, see header and payload decoded — with iat / exp / nbf shown as ISO-8601.
What it does
JWTs (JSON Web Tokens) carry identity and claims between services. They look like three base64-encoded segments separated by dots: header.payload.signature. The signature is opaque, but the header and payload are just base64-encoded JSON — perfectly readable once decoded.
convert2's JWT decoder splits the token, decodes both JSON segments, and also converts the common time claims (iat, exp, nbf) into ISO-8601 so you can see at a glance when the token was issued and when it expires.
Crucially: everything stays local. Pasting a real bearer token into most online decoders sends it to a server whose logs you can't audit. convert2 does it all in JavaScript on your machine.
How to use it
- Paste the JWT into the left pane.
- The output shows
{ header, payload, signature, _decoded }. _decodedcontainsiat_human,exp_human,nbf_humanwhere the original numeric timestamps were present.- Copy, download or share the decoded view — the raw token never leaves your browser.
Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzE4MDAwMDAwLCJleHAiOjE3NTAwMDAwMDAsInJvbGUiOiJhZG1pbiJ9.4fC5dlQ1iVlM6mG-2FzQqCshQb4bQJ8bKYoKvLZ3dAw{
"header": { "alg": "HS256", "typ": "JWT" },
"payload": {
"sub": "1234567890",
"name": "Jane Doe",
"iat": 1718000000,
"exp": 1750000000,
"role": "admin"
},
"signature": "[43 chars]",
"_decoded": {
"iat_human": "2024-06-10T07:33:20.000Z",
"exp_human": "2025-06-15T20:26:40.000Z"
}
}Why convert2
- Safe for real tokens. No network call. You can verify in DevTools → Network.
- Human timestamps.
iat,exp,nbfare decoded to ISO-8601 alongside the raw seconds-since-epoch. - Standard and URL-safe base64. The typical JWT encoding (URL-safe, no padding) works out of the box.
- Graceful on broken tokens. Malformed input shows a clear error rather than silently failing.
Common use cases
- Checking why an API call returns 401 — is the token expired? Wrong
aud? Missingscope? - Confirming an OAuth login flow produced the expected claims.
- Reading an access token you extracted from a browser Application tab.
- Diffing two tokens issued for the same user to see what the server changed.
JWT Decoder specifics
- Does not verify the signature. Verification needs the signing secret or public key, which you should never paste into a web tool.
- All three standard time claims are decoded:
iat(issued-at),exp(expires),nbf(not-before). - If the payload is not JSON (plain JWT with a non-JSON payload), you'll get an error. That's rare in practice.
- The signature string is replaced with its length for brevity — full signature is kept in memory if you need it.
Frequently asked questions
Does this verify the JWT signature?
No — this decoder only reads the header and payload. Signature verification requires the signing secret or public key, which should never be pasted into a web tool.
Is my token kept private?
Yes. All decoding runs locally in your browser; nothing is uploaded or logged.
What claims are shown?
All claims in the payload, with iat, exp and nbf timestamps also shown in ISO-8601 human-readable format.
Does it work with encrypted JWTs (JWE)?
No. JWEs are encrypted and cannot be decoded without the key. This tool handles standard JWS (signed but not encrypted) tokens.
Can I paste a production token safely?
The decode itself is safe — it happens locally. But pasted tokens still live in your clipboard and browser history, so be mindful of your overall workflow.