This free online JWT decoder lets you decode and inspect JSON Web Tokens instantly in your browser. JWTs are the standard for authentication and authorization in modern web applications, APIs, and microservices. Paste any JWT to see its decoded header, payload, and signature — no server calls, no data collection.
Step-by-Step
Paste your JWT — Copy the token from your application, API response, browser cookies, or authorization header and paste it into the input field.
View decoded sections — The tool instantly splits the JWT into its three Base64url-encoded parts: Header (algorithm and token type), Payload (claims and data), and Signature.
Inspect claims — Review standard claims like iss (issuer), sub (subject), exp (expiration), iat (issued at), and any custom claims your application includes.
Check expiration — The tool highlights whether the token is expired based on the exp claim compared to the current time.
Features
Three-panel decode — See the Header, Payload, and Signature sections in formatted, syntax-highlighted JSON.
Expiration check — Instantly see whether a token is valid or expired based on the exp and nbf claims.
Algorithm display — Identify the signing algorithm (HS256, RS256, ES256, etc.) from the header.
Claim timestamps — Unix timestamps in exp, iat, and nbf are converted to human-readable dates.
Error detection — Malformed tokens are flagged with specific error messages explaining what's wrong.
Privacy guaranteed — All decoding uses browser-native atob and JSON.parse. No data leaves your machine.
Common Use Cases
Authentication Debugging — When login flows fail, paste the JWT from your browser's cookies or local storage to inspect the claims and verify the token contains the expected user ID, roles, and scopes.
API Development — Decode tokens from API responses to verify that your auth server is issuing tokens with the correct claims, audience, and expiration times.
Token Expiration Issues — Quickly check the exp claim to determine if a "401 Unauthorized" error is caused by an expired token rather than incorrect permissions.
Security Audits — Inspect JWTs to ensure sensitive data isn't being stored in the payload (which is only Base64-encoded, not encrypted) and that strong signing algorithms are being used.
Learning and Teaching — Visualize the three-part JWT structure to understand how header, payload, and signature work together in token-based authentication.
Tips for Power Users
- JWTs are **signed, not encrypted**. Anyone can decode and read the payload — never store secrets or passwords in JWT claims.
- The signature section cannot be verified without the secret key or public key. This tool decodes but does not validate signatures.
- Look for the alg field in the header — if it's set to none, the token has no signature and should be treated as untrusted.
- Combine this tool with the Base64 Encoder/Decoder for manual inspection of individual JWT segments.
- Check the aud (audience) claim to ensure the token was issued for your specific application.
Why Use This Tool?
This JWT decoder runs entirely client-side using native JavaScript Base64 and JSON parsing. Your tokens — which may contain user IDs, emails, roles, and other sensitive claims — are never sent to any server. It's the safest way to inspect JWTs during development, debugging, and security reviews.