JWT Decoder

Decode and inspect JSON Web Tokens with claim explanations

Paste your JWT Token

Try a sample:

About JWT Decoder

The JWT Decoder is a free online tool that instantly decodes any JSON Web Token into its three component parts: Header, Payload, and Signature. JSON Web Tokens (JWTs) are an open standard (RFC 7519) used to securely transmit information between parties as compact, self-contained JSON objects. They are the backbone of modern authentication and authorization in web applications, APIs, and microservices.

Every JWT consists of three Base64URL-encoded segments separated by dots. The Header specifies the signing algorithm (such as HS256 or RS256) and token type. The Payload contains claims -- key-value pairs carrying user data, permissions, expiration times, and other metadata. The Signature ensures the token has not been tampered with and can only be verified with the correct secret or public key.

This tool decodes JWTs entirely in your browser with no server round-trip, so your tokens are never transmitted or stored externally. It also checks expiration status, formats timestamps into human-readable dates, and provides explanations for standard registered claims like iss, sub, aud, exp, iat, and nbf.

Key Features

Instantly decode any JWT into Header, Payload, and Signature sections
Automatic expiration check with clear "Token Valid" or "Token Expired" status banner
Human-readable formatting of Unix timestamps (exp, iat, nbf) with timezone display
Explanations for all standard registered claims (iss, sub, aud, exp, nbf, iat, jti)
One-click copy buttons for the header, payload, and signature individually
Real-time decoding as you type or paste, with debounced input handling
Color-coded sections: blue for Header, purple for Payload, orange for Signature
Algorithm badge (HS256, RS256, ES256, etc.) displayed prominently in the status banner
Sample token provided for quick testing and demonstration
100% client-side processing with no data sent to any server

How to Use

Paste your JWT: Copy a JSON Web Token from your application, API response, browser developer tools, or authentication system and paste it into the input field.
View decoded sections: The tool instantly splits the token into Header, Payload, and Signature, displaying each in a formatted, color-coded panel.
Check expiration: A status banner at the top shows whether the token is still valid or has expired, along with the exact expiration date and countdown.
Read claim explanations: Standard registered claims like iss, sub, exp, and iat are annotated with descriptions so you understand what each field means.
Copy sections: Use the copy button on any section to copy the formatted JSON to your clipboard for use in documentation or debugging.
Try a sample: Click the "Sample Token" button to load a pre-built JWT and see how the decoder works before pasting your own tokens.

Use Cases

Authentication debugging: Quickly inspect JWTs returned by your auth server to verify that claims, roles, and permissions are set correctly.
API development: Decode access tokens during API integration to confirm the payload contains the expected user ID, scopes, and expiration time.
Security auditing: Examine tokens for sensitive data exposure, weak algorithms (like "none"), or excessively long expiration periods.
Learning & education: Understand JWT structure by decoding sample tokens and reading the annotated claim descriptions provided by the tool.
Token expiration troubleshooting: Determine whether authentication failures are caused by expired tokens by checking the exp claim against the current time.
Microservices debugging: Inspect tokens passed between services to verify that upstream services are issuing correctly structured JWTs with the right claims.
OAuth flow validation: Decode ID tokens and access tokens from OAuth 2.0 and OpenID Connect flows to verify issuer, audience, and scope values.
Documentation: Copy decoded header and payload JSON into API documentation or runbooks to illustrate expected token structures.

Frequently Asked Questions

Is this tool free?

Yes. The JWT Decoder is completely free to use with no account required, no usage limits, and no ads blocking functionality.

Is my data secure?

Absolutely. All decoding happens entirely in your browser using JavaScript. Your JWT is never sent to any server, making this tool safe for inspecting production tokens.

Does this tool verify the JWT signature?

No. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which cannot be performed safely in a client-side browser. Use server-side libraries for signature validation.

What is the difference between HS256 and RS256?

HS256 is a symmetric algorithm that uses a single shared secret for both signing and verification. RS256 is an asymmetric algorithm that uses a private key to sign and a public key to verify, making it ideal for distributed systems.

Can I decode encrypted JWTs (JWE)?

This tool decodes signed JWTs (JWS). Encrypted JWTs (JWE) require a decryption key and are not supported by this decoder.

Why does my token show as expired?

The tool compares the exp (expiration) claim against your current system time. If the expiration timestamp is in the past, the token is marked as expired. Check that your system clock is accurate.

Tips & Best Practices

Keep tokens short-lived: Use expiration times of 15 to 60 minutes for access tokens and pair them with secure, HTTP-only refresh tokens for session continuity.
Never store secrets in the payload: JWTs are encoded, not encrypted. Anyone with the token can decode the payload, so never include passwords, credit card numbers, or other sensitive data.
Always validate server-side: Decoding a JWT in the browser is useful for debugging, but always verify the signature on your backend before trusting any claims.
Use asymmetric algorithms for distributed systems: Choose RS256 or ES256 when multiple services need to verify tokens independently without sharing a secret key.
Monitor token size: Large payloads increase request header size and can slow down API calls. Keep claims minimal and use references (like user IDs) instead of embedding full user profiles.
Rotate signing keys regularly: Implement key rotation strategies using the kid (Key ID) header parameter to transition between signing keys without invalidating all existing tokens.