Is the signature verified?

No. This tool only decodes the header and payload. It does NOT verify the signature. Never trust a decoded token as authentic unless you also verify the signature with the correct secret or public key.

Is my token sent to a server?

No. All decoding happens entirely in your browser using JavaScript. Your token never leaves your device.

What token formats are supported?

Any standard three-part JWT (header.payload.signature) encoded with Base64url. This covers RS256, HS256, ES256, and all other common algorithms.

What does "Bearer" mean in the token?

The word "Bearer" is just the HTTP Authorization scheme prefix (e.g. Authorization: Bearer ). This tool accepts the token with or without that prefix and strips it automatically.

Why does the expiry show as a strange number?

JWT timestamps (exp, iat, nbf) are Unix timestamps — seconds since January 1 1970. This tool converts them to a readable date/time string automatically.

Bearer Token / JWT Quick Decoder

Name: Bearer Token / JWT Quick Decoder
Availability: InStock
Author: Nham Vu

Paste any JWT or Bearer token to instantly decode and inspect its header and payload in your browser.

Paste Bearer Token or JWT

Token Structure

Signature

Signature is NOT verified. The header and payload above may have been tampered with unless you verify the signature independently.

Paste a JWT above and click Decode to inspect the header and payload.

Copied!

Summary

Paste any JWT or Bearer token to instantly decode and inspect its header and payload in your browser.

How it works

Paste your JWT or Bearer token into the input field.
The tool splits the token on dots and Base64url-decodes the first two segments.
The decoded header (algorithm, token type) is displayed in the left panel.
The decoded payload (claims such as sub, exp, iat) appears in the right panel.
Expiry and issued-at timestamps are converted to human-readable dates automatically.
Click any field to copy its value to the clipboard.

Use cases

Quickly inspect claims inside an access token during API development.
Check token expiry without writing any code.
Debug authentication issues by reading the algorithm and key ID in the header.
Verify that a backend is issuing the correct subject and scope claims.
Decode tokens from CI/CD pipelines or cloud provider SDKs.
Onboard new team members by showing them what a JWT actually contains.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu