Decode a JSON Web Token to inspect its header, payload, and expiry.
CipherForces JWT Decoder splits a JSON Web Token into its three parts (header, payload, signature), base64url-decodes each, and pretty-prints the JSON with syntax highlighting. Expiration and issued-at timestamps are shown as human-readable UTC alongside a relative time ("expires in 14 minutes" / "issued 3 hours ago").
Unlike jwt.io — which is excellent but requires a network round trip to their servers — this tool runs 100% in your browser. You can paste production tokens without worrying that they'll leak into anyone's logs.
This tool does not verify the signature — that requires the issuer's public key or HMAC secret, which we don't ask for. Pasting a token into a decoder on any site is safe; pasting it into a verifier means handing over your secret. For debugging, decoding is usually all you need.
Privacy: All decoding happens in your browser. The token string is never sent to any server.
Three simple steps to get your result.
Drag and drop or click to select your file.
Adjust quality, size, or format options.
Your processed file is ready instantly.
Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes for text and files.
Open toolVerify file integrity by comparing SHA-256 checksums.
Open toolEncrypt text and files with AES-256. Decrypt with your password.
Open toolCheck any website's SSL certificate and security headers.
Open toolPrivacy-first tools that work everywhere.