About the Handiwork JWT Decoder
The JWT Decoder splits a JSON Web Token into its header and payload so you can inspect its claims at a glance. Standard time claims like expiry (exp), issued-at (iat), and not-before (nbf) are translated into human-readable dates, and decoding happens entirely in your browser so tokens never leave your machine.
How to use the Handiwork JWT Decoder
- Paste your JSON Web Token into the input.
- Read the decoded header and payload as formatted JSON.
- Check the expiry and issued-at times shown in plain language.
What is inside a JWT?
A JSON Web Token has three base64url-encoded parts separated by dots: a header describing the signing algorithm, a payload containing claims (such as the subject, issuer, and expiry), and a signature. The header and payload are encoded, not encrypted, so anyone holding the token can read their contents.
Decoding is not verifying
This tool decodes a token so you can inspect it, but it does not verify the signature. A valid-looking payload does not prove the token is authentic — always verify the signature against the issuer’s key on the server before trusting a token for authentication or authorization.
Frequently asked questions
Does this verify the JWT signature?
No. It only decodes the header and payload for inspection. Signature verification requires the issuer’s secret or public key and should be done server-side.
Is my token sent anywhere?
No. Decoding runs entirely in your browser, so your token and its claims never leave your device.
Why does it say my token is expired?
If the payload contains an exp (expiration) claim whose time is in the past, the token is considered expired. The decoder compares it against your device’s current time.