JWT Decoder

Decode a JSON Web Token to read its header, payload, and signature. Detects expired tokens.

100% in your browser · No uploads
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
  • iat: 1516239022 → 2018-01-18T01:30:22.000Z
Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Uvelia does not verify signatures — it only decodes the token.

What this does

JWT Decoder splits a JSON Web Token into its three parts (header, payload, signature) and decodes the first two so you can read what's inside. Detects whether the token is expired based on the `exp` claim.

When to use it

  • Inspecting an auth token your backend or API returned
  • Debugging why a token is being rejected (wrong audience, expired, etc.)
  • Verifying the claims your auth provider is setting
  • Confirming a token's expiry time before using it

Frequently asked

Does Uvelia verify the signature?

No — verification requires the signing secret or public key, which Uvelia doesn't have (and shouldn't). The decoder shows you the contents; signature verification has to happen on the server that issued the token.

Is it safe to paste a real JWT here?

Decoding happens entirely in your browser — nothing is sent to a server. That said, a JWT is still a credential. Don't paste it into anything (Uvelia included) that another person might see.