Paste a JWT token into the input area. Pastefix instantly decodes the header and payload, checks if the token is expired, and breaks down every claim with a human-readable description. No libraries or browser extensions needed. Click "Explain with AI" for a detailed security analysis of the token's claims and configuration.
Pastefix's JWT Decoder splits any JSON Web Token into its three parts — header, payload, and signature — and decodes the Base64URL-encoded data. It identifies the signing algorithm, checks expiration timestamps, and explains each registered claim (iss, sub, aud, exp, iat, etc.) so you understand exactly what the token grants.
Yes. JWT decoding is pure Base64 decoding and happens entirely in your browser. Your token never leaves your device unless you click "Explain with AI." Never paste production tokens with sensitive claims into any online tool that transmits data.
Pastefix decodes and displays the signature but does not verify it cryptographically. Signature verification requires the signing key or public certificate, which should only be done server-side in your application.
Pastefix supports standard three-part JWTs (header.payload.signature) using any signing algorithm — HS256, RS256, ES256, and others. It decodes the algorithm from the JOSE header automatically.
Yes. If the token contains an "exp" claim, Pastefix automatically calculates whether it is expired and displays the expiration date in your local timezone.