UOhMyUnit

JWT Decoder

Paste any JWT and see its header, payload, and signature. Standard claims are labelled, and exp is flagged if expired. Signatures are NOT verified — this is a viewer, not a validator.

⚠ This tool only decodes the JWT — it does not verify the signature. Never trust a decoded JWT without server-side verification.

How it works

The token is split on the dots into three parts. The header and payload are base64URL-decoded and JSON-parsed. The signature is shown as the raw third segment. Standard claim names (iss, sub, aud, etc.) are labelled, and timestamps (exp, nbf, iat) are expanded to UTC date-times.

FAQ

Why do you not verify the signature? Verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). Sending the secret to a static site is the opposite of safe. For verification, use your server or a CLI tool where you already have the key.

How is "expired" determined? If the payload contains an exp claim (a Unix timestamp in seconds), we compare it to the current time. If exp is in the past, the token is marked EXPIRED. Tokens without exp cannot be evaluated this way.

Is my JWT sent anywhere? No. The token is parsed entirely in your browser via base64URL decoding and JSON.parse.

You might also like

Base64 Encoder/Decoder

Text ↔ Base64, with URL-safe option

URL Encoder/Decoder

encodeURIComponent / encodeURI

Hash Generator

SHA-1, SHA-256, SHA-512 (and MD5) for text or files

Part of the OhMy* tools family

PDF

OhMyPDF

PDF tools — merge, split, compress, rotate

QR

OhMyQR

QR codes & barcodes (vCard, WiFi, bulk CSV)

GIF

OhMyGIF

GIF tools — resize, compress, GIF↔MP4

ICO

OhMyIcon

Favicons & app icons in every size