Free Online JWT Decoder

Decode and inspect JWT tokens instantly

JWT Token

Paste a JWT token above to decode it.

All decoding happens in your browser. Your token is never sent to any server. This tool does not verify signatures — it only decodes the header and payload.

Try these next

Base64 Encoder / Decoder JSON Formatter & Validator Hash Generator Password Generator All tools

About this tool

Decode and inspect JSON Web Tokens (JWTs) instantly with this free online JWT decoder. Paste any JWT and see its header, payload, and signature broken down into readable JSON — no libraries or command-line tools needed. JWTs are the standard format for authentication tokens in modern web applications, APIs, and single sign-on (SSO) systems. Each token consists of three Base64URL-encoded parts separated by dots: a header specifying the algorithm, a payload containing claims like user ID, expiration time, and roles, and a signature for verification. This tool parses all three sections and displays them with syntax highlighting, automatically converts Unix timestamps (iat, exp, nbf) into human-readable dates, and flags whether the token is currently expired. It is invaluable for debugging OAuth flows, diagnosing 401 errors, verifying token contents during development, and understanding what data a third-party service includes in its tokens. All decoding happens entirely in your browser — your tokens are never transmitted to any server, keeping sensitive claims private and secure.

Frequently Asked Questions

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications, APIs, and single sign-on systems. They consist of three parts: a header, a payload, and a signature.

A JWT consists of three Base64URL-encoded parts separated by dots. The header specifies the token type and signing algorithm (e.g., HS256, RS256). The payload contains claims — key-value pairs with data like user ID, roles, and expiration time. The signature is created by signing the header and payload with a secret or private key.

Yes. The header and payload of a JWT are only Base64URL-encoded, not encrypted, so anyone with the token can read them. Decoding does not require a secret key. This tool processes everything in your browser and never sends your token to a server, so your token data remains private.

The 'exp' (expiration time) claim identifies the time after which the JWT must not be accepted. It is expressed as a Unix timestamp (seconds since January 1, 1970 UTC). This tool automatically converts exp timestamps to human-readable dates and indicates whether the token has expired.

This tool focuses on decoding and inspecting JWT contents. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms), which should never be shared in a browser tool. For signature verification, use server-side libraries in your application code.

HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification, making it simpler but requiring the secret to be shared. RS256 (RSA-SHA256) uses an asymmetric key pair — a private key signs the token and a public key verifies it. RS256 is preferred in distributed systems where multiple services need to verify tokens.

A JWT is expired when the current time exceeds the 'exp' claim value. This is normal behavior — tokens are designed to expire for security. Check if your application is refreshing tokens properly, if the token issuer is setting appropriate expiration times, or if there is a clock skew between your server and the token issuer.

Standard claims include 'iss' (issuer), 'sub' (subject/user ID), 'aud' (audience), 'exp' (expiration time), 'nbf' (not before), 'iat' (issued at), and 'jti' (JWT ID). Applications often add custom claims like 'role', 'email', 'name', or 'permissions' to carry application-specific data.

Related Tools

Discover more free utilities to enhance your productivity.

View all tools