Paste a token to inspect its header, payload and expiry — and verify HMAC signatures with your secret. Everything runs in your browser. No request is made, nothing is logged, your token never leaves this page.
—
—
Verification uses the WebCrypto API locally. RS/ES (public-key) tokens decode fine; their signature check needs the issuer's public key and is out of scope here.
A JSON Web Token is three Base64URL segments: header.payload.signature. The header
declares the signing algorithm, the payload carries the claims, and the signature proves the
token wasn't altered. This decoder pretty-prints both JSON segments and translates the time
claims — exp (expiry), iat (issued at), nbf (not before) —
into human-readable dates, flagging expired tokens immediately. That covers the two most common
debugging questions: "what's actually inside this token?" and "did it expire?"
Unlike most online decoders, there is no server round-trip and no analytics script watching the textarea. Tokens are credentials — treat any tool that uploads them as a leak. (For production secrets, prefer a decoder you can audit… or one that runs on a device you own.)
Debugging tokens against a real API? ReqPad ships JWT and Bearer auth, OAuth 2.0 flows and a request history on your phone — paste the same token into a live request and see what the server says. Also try the cURL → Swift/Kotlin/Dart converter, or read why there's still no Postman mobile app.
ReqPad runs REST, GraphQL, gRPC, MQTT, WebSocket & Socket.IO on iPhone and iPad — free to start, no account required.