Paste a JSON Web Token and instantly inspect the header, payload and expiry. ToolPit decodes claims locally — perfect for debugging auth flows without sending tokens to a third party.
How to decode a JWT
- Paste your JWT into the input field.
- ToolPit splits header, payload and signature.
- Inspect claims like iss, sub, exp and iat in plain JSON.
- Check the expiry countdown to see if the token is still valid.
Frequently asked questions
Is my JWT sent anywhere?+
No. Decoding is done with JavaScript in your browser. Your token never leaves the page — safe for production secrets.
Can ToolPit verify the signature?+
ToolPit decodes the token but does not verify the signature. Signature verification requires the issuer's secret or public key, which should never leave your server.
Why is my JWT marked as expired?+
The exp claim is in the past relative to your system clock. Either refresh the token or check that your clock is synced.