JWT Decoder Online — Decode JSON Web Tokens
Decode and inspect JSON Web Tokens (JWT). View header, payload, expiration, and claims. No data is sent to any server.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64-encoded parts: header, payload, and signature, separated by dots.
Is this tool secure?
Yes. JWT decoding happens entirely in your browser. No tokens are sent to any server. Never share your tokens with untrusted online tools.
About This Tool
The JWT Decoder decodes JSON Web Tokens (JWTs) and displays their header, payload, and signature in a readable format. It is an essential debugging tool for developers working with authentication systems, API security, OAuth 2.0 flows, and session management.
Key Features
- Header & Payload Decoding — Decodes and pretty-prints the JWT header (algorithm, token type) and payload (claims, expiration, issuer) sections.
- Expiration Check — Reads the exp claim and shows whether the token is currently valid or has expired, with the exact expiry date and time in your local timezone.
- Signature Section Display — Shows the Base64url-encoded signature section for reference, without performing signature verification (which requires the secret key).
- Browser-Based Processing — All decoding runs locally in your browser. Your JWT tokens never leave your device.
- Free & No Signup — Use this tool as many times as you need without creating an account or paying anything.
Common Use Cases
- Inspecting the claims inside an access token received from an OAuth 2.0 authorization server
- Checking whether a JWT is expired by reading the exp claim when debugging a 401 Unauthorized error
- Verifying that the correct user roles or permissions are included in the token payload during development
- Examining the algorithm (alg) and key ID (kid) in the header when troubleshooting token validation failures
- Reading tokens passed via Authorization headers in API requests during frontend debugging sessions
How to Use
Paste the full JWT (the three-part dot-separated string) into the input field. The header and payload sections are decoded and displayed as formatted JSON. The expiration status is shown automatically based on the exp claim. The signature is displayed but not verified.
Frequently Asked Questions
What is a JWT and how is it structured?
A JWT (JSON Web Token) consists of three Base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims like user ID, roles, expiration), and the signature (which verifies the token has not been tampered with).
Does decoding a JWT verify its signature?
No. This tool only decodes the header and payload sections, which are plain Base64url-encoded JSON. Signature verification requires the secret key or public key and must be done server-side. Never trust a decoded JWT without server-side verification.
Is it safe to decode a JWT in a browser tool?
Yes, for debugging purposes. The header and payload are not encrypted—anyone with the token can read them. Treat JWTs like session cookies: only paste tokens from development environments, not production user tokens.
What is the difference between JWTs signed with HS256 and RS256?
HS256 uses a shared secret (symmetric): both the issuer and verifier must know the secret key. RS256 uses a private key to sign and a public key to verify (asymmetric), which is safer for multi-service architectures where services should verify but not issue tokens.
Related Tools
Workflow Links
Suggested step-by-step tools based on this page intent.
Before This Tool
Next Step Tools