Free JWT Decoder — Inspect Tokens, Verify Claims & Debug Auth
This JWT decoder runs entirely in your browser — no token data is ever sent to a server. Unlike jwt.io or token.dev, which transmit your token to remote endpoints for processing, this tool parses the Base64-encoded header, payload, and signature locally using JavaScript. Whether you’re debugging an OAuth2 access token, inspecting a Firebase ID token, or verifying JWS claims in an API response, you’ll get a complete breakdown of every claim with human-readable timestamps for iat, exp, and nbf fields.
Built for backend developers, DevOps engineers, and security professionals who need to decode JSON Web Tokens without risking credential exposure. Paste your JWT below to inspect it instantly — no signup, no tracking, no data collection.
How to Use the JWT Decoder
Decoding and inspecting JWT tokens takes just a few seconds. Follow these steps to debug your authentication tokens.
Step 1: Paste Your JWT
Copy the full JWT string from your API response, browser dev tools, or server logs. Paste it into the input field — the tool will immediately parse it into its three components: header, payload, and signature.
Step 2: Inspect the Header
The header section shows the signing algorithm (alg) and token type (typ). Common algorithms include RS256, HS256, and ES256. This is essential for verifying that your token was signed with the expected algorithm.
Step 3: Review the Payload
The payload contains all claims — both registered claims like iss (issuer), sub (subject), aud (audience), exp (expiration), and iat (issued at), plus any custom claims your application adds. Timestamps are automatically converted to human-readable dates.
Step 4: Check Token Status
The decoder automatically evaluates whether the token is currently valid, expired, or not yet valid based on the exp and nbf claims.
What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature. JWTs are widely used in OAuth 2.0, OpenID Connect, API authentication, and single sign-on (SSO) systems.
Common JWT Claims Explained
- iss (Issuer) — Identifies who issued the token.
- sub (Subject) — The user ID or entity the token represents.
- aud (Audience) — The intended recipient service.
- exp (Expiration) — Unix timestamp after which the token is invalid.
- iat (Issued At) — Unix timestamp when the token was created.
- nbf (Not Before) — The token cannot be used before this time.
- jti (JWT ID) — Unique identifier to prevent replay attacks.
Frequently Asked Questions
Is it safe to paste my JWT into an online decoder?
With this tool, yes — the decoding happens entirely in your browser using JavaScript. No token data is sent to any server. Many other online JWT decoders transmit your token to their backend for parsing, which risks exposing sensitive credentials.
Can I decode an expired JWT?
Yes. JWT decoding only reads the Base64-encoded data — it doesn’t validate the signature or check expiry. This tool will decode any syntactically valid JWT regardless of its expiration status, and clearly flag whether it’s currently expired.
What’s the difference between decoding and verifying a JWT?
Decoding reads the header and payload by Base64-decoding the token — anyone can do this. Verifying checks the cryptographic signature to confirm the token hasn’t been tampered with. This tool decodes for inspection; signature verification requires the signing key and should be done server-side.
Related Tools
- YAML Validator — validate YAML syntax with line-by-line error explanations and convert between YAML and JSON.
- Cron Expression Generator — build and validate cron expressions for Unix, Quartz, GitHub Actions, and AWS.
- Schema Markup Generator — create JSON-LD structured data for Google rich results.
- Chmod Calculator — calculate Unix file permissions with a visual toggle interface.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. You’ll encounter them constantly in modern web development — they’re used for authentication tokens, API authorization, OAuth access tokens, and session management in virtually every web application stack.
A JWT has three parts separated by dots: header.payload.signature
- Header — encodes the token type (“JWT”) and the signing algorithm (typically HS256, RS256, or ES256)
- Payload — contains the claims: the actual data being transmitted, like a user ID, role, email, and expiry timestamp
- Signature — ensures the token hasn’t been tampered with. The signature is generated using the header + payload + a secret key
This decoder shows you the decoded header and payload. It does not verify the signature (that requires the secret key, which you shouldn’t paste into a browser tool).
How to Use the JWT Decoder
Paste your JWT into the input field. The decoder immediately shows you:
- The decoded header as formatted JSON (algorithm, token type)
- The decoded payload as formatted JSON (all claims, including user data)
- The expiry parsed from the
expclaim as a human-readable date/time - An expiry status indicator (valid / expired)
- The raw claims list with each key and value
No button to press, no form to submit. Paste the token and the output appears instantly.
Security: Why Client-Side Matters Here
Most online JWT decoders send your token to a server for decoding. This is technically unnecessary — base64url decoding is trivial JavaScript — and it creates a real security risk. JWT payloads often contain user IDs, email addresses, roles, and session identifiers. Sending that data to a third-party server is a risk you shouldn’t need to take just to inspect a token structure.
This decoder does everything in your browser tab. Your token is never transmitted.
Common JWT Claims Reference
| Claim | Full name | Meaning |
|---|---|---|
sub | Subject | The user or entity the token refers to |
iss | Issuer | The service that issued the token |
aud | Audience | The intended recipient service |
exp | Expiry | Unix timestamp when the token expires |
iat | Issued at | Unix timestamp when the token was created |
nbf | Not before | Token not valid before this timestamp |
jti | JWT ID | Unique identifier for this token |
Frequently Asked Questions
Can this decoder verify a JWT signature?
No, and intentionally so. Signature verification requires the secret key used to sign the token. You should never paste a secret key into a browser-based tool. If you need to verify signatures, use your server-side JWT library directly.
Why is my JWT showing as expired?
JWTs contain an exp claim with a Unix timestamp. If the current time is past that timestamp, the token is expired. This is expected — tokens are designed to expire and be refreshed. Your auth service should be issuing a new token automatically.
What’s the difference between a JWT and a session cookie?
Traditional session cookies store a session ID on the server and look up the session data on each request. JWTs are self-contained — all the data is in the token itself, so the server doesn’t need to look anything up. This makes JWTs useful for distributed systems and APIs, but it also means the server can’t easily invalidate a JWT before its exp timestamp.
Are JWTs encrypted?
Standard JWTs (JWS) are signed but not encrypted — anyone with the token can read the payload. If you need to hide the payload, use JWE (JSON Web Encryption). Don’t store sensitive data (passwords, SSNs, payment details) in a standard JWT.
Related Tools
- YAML Validator — Validate API config files that often accompany JWT authentication setup
- Chmod Calculator — Set correct file permissions on JWT secret files on Unix servers
- Schema Markup Generator — Another structured data format used in web development