JWT Decoder
Trending 🔥Decode and inspect JWT tokens
How to Use JWT Decoder
- 1Paste your JWT token
- 2See the decoded header and payload instantly
- 3Check expiration and other claims
About JWT Decoder
JWT Decoder instantly decodes JSON Web Tokens (JWTs) and displays the header, payload, and signature parts in a clear, readable format. JWTs are the dominant authentication token format used by REST APIs, OAuth 2.0 services, and Single Sign-On (SSO) systems.
Paste any JWT string and the tool immediately shows the algorithm in the header, the claims in the payload (including expiration time, issuer, subject, and custom claims), and the raw signature. The expiration time is displayed as a human-readable date.
All decoding runs entirely in your browser using Base64URL decoding — no data is sent to any server. Since JWTs often carry sensitive authentication information, browser-local processing ensures your tokens remain private.
Key Features of JWT Decoder
- Decode any JWT and display header, payload, and signature
- Shows the signing algorithm from the header (HS256, RS256, etc.)
- Displays expiration (exp), issued-at (iat), and not-before (nbf) as readable dates
- Highlights expired tokens with a clear visual warning
- Pretty-printed JSON output for both header and payload
- Works entirely in-browser — your token is never transmitted
- Supports all standard JWT structures including nested JWTs
- One-click copy for the full decoded payload
Examples
Inspect claims in an OAuth 2.0 access token
View the subject, scopes, and expiration of a token returned by an OAuth authorization server.
Input
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwic2NvcGUiOiJyZWFkIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature
Output
Header: {"alg":"RS256"} | Payload: {"sub":"user123","scope":"read","exp":"2023-11-14T22:13:20Z"}Check if a session token has expired
Determine if a JWT from a user session is still valid by inspecting its exp claim.
Input
A JWT with an exp claim set to a past date
Output
Token expired on 2025-01-01 00:00:00 UTC — highlighted in red
Common Use Cases
- Inspecting OAuth 2.0 access tokens to verify scopes and expiration
- Debugging authentication failures by checking JWT claims against API requirements
- Verifying token structure and algorithm when integrating a new identity provider
- Checking the subject (sub) and issuer (iss) of incoming tokens in API logs
- Teaching JWT structure and claims in security training and workshops
- Quickly checking whether a token has expired
Troubleshooting
Invalid token — token is not a JWT
Solution
A JWT must have exactly three dot-separated sections (header.payload.signature). Ensure you are pasting the complete token string and have not accidentally trimmed any sections.
Payload shows garbled characters
Solution
JWT sections are Base64URL encoded. The decoder handles this automatically. If output is garbled, ensure the token is complete and was not modified before pasting.
Cannot tell if the token is valid (authentic)
Solution
Decoding shows the claims but does not verify the signature. Signature verification requires the signing key. Use your application's JWT library to verify server-side.
Frequently Asked Questions
Is my JWT token safe when using this tool?
Yes. All decoding happens locally in your browser using JavaScript. Your JWT is never sent to any server, stored, or logged.
Can it verify JWT signatures?
No. Signature verification requires the secret key or public key. This tool decodes and displays the header and payload only.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format that encodes a set of claims as a JSON object. It consists of three Base64URL-encoded parts: a header (algorithm), a payload (claims), and a signature.
What claims should I look for in a JWT?
Key standard claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before).
How can I tell if a JWT has expired?
The exp claim contains a Unix timestamp representing when the token expires. This tool converts it to a human-readable date and highlights expired tokens.
What is the difference between HS256 and RS256?
HS256 uses a shared secret key. RS256 uses a private key for signing and a public key for verification — suitable for distributed systems.
Can I decode a JWT without a library?
Yes. A JWT is just three Base64URL-encoded JSON strings separated by dots. This tool automates exactly that process.
Should I paste production tokens into online tools?
This tool processes tokens locally in your browser, so they are not transmitted anywhere. For sensitive production tokens in high-security environments, consider using a locally-run version.