JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, claims, and expiration status without any server.

Your data never leaves your browser

How to Use

  1. 1

    Paste your JWT

    Copy a JWT token (the long string starting with 'eyJ...') and paste it into the input field.

  2. 2

    Click Transform

    The tool decodes the Base64URL-encoded header and payload sections.

  3. 3

    Inspect the result

    View the decoded header (algorithm, type), payload (all claims), expiration status, and the raw signature.

What is JWT Decoder?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting claims between two parties. This JWT decoder lets you decode JWT tokens online and inspect their contents instantly. JWTs consist of three Base64URL-encoded parts separated by dots — a header, a payload, and a signature — and are widely used in authentication systems, OAuth 2.0 flows, API authorization, and single sign-on (SSO).

It is critical to understand that JWT is an encoding format, not encryption. Anyone with access to a token can decode the header and payload without needing a secret key. The header identifies the signing algorithm (e.g., HS256, RS256) and token type, while the payload carries claims such as user ID, roles, expiration time (exp), issued-at time (iat), and subject (sub). This JWT inspector displays every claim clearly and flags whether the token has expired.

Security matters when working with tokens. Many online JWT decode tools send your token to a remote server for processing, which risks leaking sensitive claims such as user IDs or session data. This JWT token decoder runs entirely in your browser using JavaScript — no data ever leaves your machine. Even so, avoid pasting production tokens into any online tool unless you are certain it is client-side only.

This tool pairs well with our Base64 Decode and Base64 Encode utilities for working with the raw Base64URL segments of a token, and our article on JWT Tokens Explained provides a deeper dive into token structure, signing algorithms, and best practices. Whether you are debugging an authentication flow, reviewing API responses, or learning how JWTs work, this free JSON web token decoder gives you the full picture in seconds.

FAQ

Does this tool verify the JWT signature?
No. This tool only decodes the header and payload, which are Base64URL-encoded (not encrypted). Signature verification requires the secret key or public key, which should never be shared in a browser tool.
Is it safe to paste my JWT here?
Yes. All decoding happens in your browser using JavaScript. The token is never sent to any server. However, you should still avoid sharing JWTs publicly as they may contain sensitive claims.
What does 'EXPIRED' mean in the output?
If the token's 'exp' (expiration) claim contains a timestamp that is in the past, the tool marks it as expired. This means the token is no longer valid for authentication.
What is the difference between decoding and verifying a JWT?
Decoding extracts the header and payload from Base64URL — anyone can do this without a key. Verifying checks the cryptographic signature to confirm the token hasn't been tampered with and was issued by a trusted party. This tool decodes only; verification requires server-side code with the signing key.
Why does my JWT have three parts separated by dots?
A JWT consists of three Base64URL-encoded segments: Header (algorithm and type), Payload (claims like user ID, expiration), and Signature (cryptographic proof of integrity). The dot separators divide these three parts.

Related Articles

Related Tools