Decode base64 strings and JWT tokens with auto-detection, claim inspection, and expiry status.
Last verified: May 2026
Output will appear here...JWTs are three base64url-encoded segments joined by dots. The Base64 / JWT Decoder auto-detects whether you have pasted a plain base64 string or a full JWT, then either base64-decodes the payload or splits the JWT into header, payload, and signature with each segment fully decoded. Expiration, not-before, and issued-at claims are formatted as human-readable timestamps and flagged when expired so a token problem is obvious immediately rather than discovered by squinting at a unix timestamp.
An on-call alert fires at 11pm: 'Mobile API returning 401 to a percentage of users.' The mobile client logs include a redacted JWT. You paste it into the decoder. The header says alg: RS256 and kid: rotated-key-2026-04. The issuer rotated keys two weeks ago and you forgot to refresh the JWKS cache on this region's edge. A 30-second config push restores service. Without the decoder you would have spent another five minutes hunting the kid claim in raw base64.
If the payload decodes but the timestamps look wrong (year 56432 or year 1970), the issuer is emitting Unix milliseconds instead of seconds. RFC 7519 specifies seconds; some non-standard issuers ignore that. Divide by 1000 to read it.
A token that fails 'expired' even though you just issued it usually has the wrong clock on the issuer or the verifier. JWT validators reject tokens with iat or nbf more than 30-60 seconds in the future to defend against clock skew — the symptom can look identical to expiration.
The decoder first inspects the input for the JWT shape (three base64url segments joined by dots). If found, it splits, base64url-decodes each segment, and parses header and payload as JSON. Otherwise it treats the input as raw base64 (or base64url) and decodes it as a string. Expiration handling normalizes timestamps to human-readable UTC and flags exp/nbf/iat values that are in the past or unreasonably far in the future.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.