JWT Decoder
About this tool: Decode and inspect JSON Web Tokens (JWT) to view their contents and validate their signatures. JWT is a compact, URL-safe means of representing claims between two parties.
How to use:
- Paste a JWT token in the input field
- Click “Decode” to view the token’s header and payload
- Optionally, enter a secret key to verify the token’s signature
- The tool will show you if the token is valid and when it expires
Decode JWT tokens to view header, payload, and signature. Free tool for developers to inspect and debug JSON Web Tokens. No signup.
JWT Decoder: Inspect and Debug JSON Web Tokens Instantly
JSON Web Tokens (JWTs) are everywhere in modern web apps.
But a JWT looks like gibberish until you decode it.
A JWT decoder reveals the token’s contents in readable JSON.
You do not need to manually split the token or decode Base64.
Just paste your JWT, and the tool shows everything.
See the header, payload, and signature instantly.
What Is a JWT Decoder?
A JWT decoder splits a JSON Web Token into its three parts.
It decodes the Base64URL-encoded header and payload.
You see the actual JSON data inside the token.
A JWT has three parts separated by dots:header.payload.signature
The decoder shows you the decoded header and payload.
The signature is displayed but not verified (requires secret).
Core Functions of a Good JWT Decoder
- Split JWT into header, payload, and signature
- Decode Base64URL header to readable JSON
- Decode Base64URL payload to readable JSON
- Show algorithm (alg) and token type (typ)
- Display expiration time (exp) in human-readable format
Our tool includes all these features.
No command line or programming required.
Why You Need a JWT Decoder
JWTs are powerful but opaque without decoding.
Here is why this tool is essential.
Debugging Authentication Issues
Your API returns a 401 Unauthorized error.
Decode the JWT to see if it expired.
Check the exp claim to confirm.
Inspecting User Data
JWTs often contain user information in the payload.
Decode to see user ID, roles, and permissions.
Verify the token has the right claims.
Learning JWT Structure
New to JWTs? Decode example tokens to learn.
See how header, payload, and signature work.
Understand what information tokens carry.
API Development
Testing API endpoints that require JWTs.
Decode tokens to see what claims are present.
Ensure your token generation is correct.
Security Audits
Inspect tokens for sensitive information.
Ensure you are not storing passwords in JWTs.
Check that expiration times are reasonable.
How to Use Our JWT Decoder
The tool is built for simplicity and speed.
Follow these steps to decode any JWT.
Step-by-Step Guide
- Copy your full JWT token (including all three parts).
- Paste it into the input box.
- Click the decode button.
- View the decoded header and payload.
The tool shows errors if the token is invalid.
The signature is displayed but not verified.
You can copy the decoded JSON for analysis.
Pro Tips for Best Results
- Ensure you have the full token (two dots included).
- Tokens start with
eyJ(Base64 for{"alg"). - Expired tokens can still be decoded.
- Do not share your secret key with anyone.
- Bookmark the tool for frequent debugging.
Understanding JWT Structure
A JWT has three parts separated by dots.
Here is what each part contains.
Header
First part of the token (before first dot).
Contains metadata about the token.
Common fields: alg (algorithm), typ (type).
Example header decoded:
json
{
"alg": "HS256",
"typ": "JWT"
}
Payload
Second part of the token (between first and second dot).
Contains the actual claims (data).
Common claims: sub (subject), exp (expiration), iat (issued at).
Example payload decoded:
json
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"exp": 1743849600
}
Signature
Third part of the token (after second dot).
Used to verify the token has not been tampered with.
Cannot be decoded without the secret key.
Our tool shows the signature as a string.
It does not verify the signature (requires secret).
Real-World JWT Examples
Seeing actual decoding makes the value clear.
Here are common tokens and their decoded contents.
Example 1: Basic Authentication Token
Encoded JWT:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded header:
json
{
"alg": "HS256",
"typ": "JWT"
}
Decoded payload:
json
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Example 2: Token with Expiration
Encoded JWT (shorter for readability):eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3NDM4NDk2MDB9.abc123
Decoded payload:
json
{
"sub": "123",
"exp": 1743849600
}
Expiration as date: Monday, April 5, 2026 12:00:00 UTC
Example 3: Token with User Roles
Decoded payload:
json
{
"sub": "user_456",
"email": "user@example.com",
"roles": ["admin", "editor"],
"permissions": ["read", "write", "delete"]
}
Common JWT Claims
Claims are the key-value pairs in the payload.
Here are the most important standard claims.
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who created the token |
sub | Subject | The user or entity the token is about |
aud | Audience | Intended recipient of the token |
exp | Expiration Time | When token expires (Unix timestamp) |
nbf | Not Before | Token is not valid before this time |
iat | Issued At | When token was created |
jti | JWT ID | Unique identifier for the token |
Custom Claims
You can add any custom claims you need.
Examples: role, user_id, tenant, plan_type
Our decoder shows all claims, standard or custom.
JWT Algorithms Explained
The alg claim in the header tells you how the token is signed.
Here are the most common algorithms.
HS256 (HMAC with SHA-256)
Type: Symmetric (same secret for sign and verify)
Use: Single-server applications
Security: Good if secret is strong
RS256 (RSA with SHA-256)
Type: Asymmetric (private key to sign, public key to verify)
Use: Microservices, third-party tokens
Security: Very good, no shared secret
ES256 (ECDSA with SHA-256)
Type: Asymmetric (elliptic curve)
Use: High-security applications
Security: Excellent, smaller keys than RSA
None (No signature)
Type: Unsecured (no signature)
Use: Testing only, never production
Security: None – anyone can modify
Our decoder shows the algorithm from the header.
Always verify tokens with the correct secret/key.
JWT Decoder vs. Manual Decoding
You could decode JWTs manually using online Base64 tools.
Here is why our tool is better.
Manual Decoding Challenges
- Need to split token into three parts manually
- Use separate Base64 decoder for each part
- Base64URL requires special handling
- No formatting of decoded JSON
- Time-consuming for multiple tokens
Our Tool Advantages
- One paste, one click, instant results
- Automatic Base64URL decoding
- Formatted JSON output
- Handles any number of tokens
- Shows timestamps in readable format
Use manual tools for learning JWT structure.
Use our tool for daily debugging and development.
Security Considerations
JWTs contain information anyone can decode.
Here is what you need to know.
JWTs Are Not Encrypted by Default
The payload is Base64-encoded, not encrypted.
Anyone with the token can read the contents.
Do not store passwords or secrets in JWTs.
Signature Verification
Decoding does not verify the signature.
A modified token will still decode.
Always verify tokens with the secret/key in your application.
Token Expiration
Always check the exp claim in your application.
Expired tokens should be rejected.
Our decoder shows you the expiration time.
Transport Security
Always send JWTs over HTTPS only.
Never send tokens over unencrypted HTTP.
Tokens can be stolen in transit otherwise.
Common JWT Errors and Fixes
Even experienced developers make JWT mistakes.
Here is how to spot and fix them.
Error 1: Invalid Token Format
Token has only one dot or no dots.
JWTs must have two dots (three parts).
Copy the full token from your Authorization header.
Error 2: Expired Token
Payload contains exp claim in the past.
Token has expired and will be rejected.
Generate a new token with later expiration.
Error 3: Wrong Algorithm
Header says alg: "HS256" but you use RS256.
Verification will fail.
Use the correct algorithm for your tokens.
Error 4: Missing Claims
Token has no exp claim but your app requires it.
Add expiration to your token generation.
Or update your app to accept tokens without expiry.
Error 5: Signature Invalid
Token decodes but signature verification fails.
Token may have been tampered with.
Or you are using the wrong secret/key.
Privacy and Security
Your JWTs may contain sensitive user data.
Here is how we protect your privacy.
Our Security Guarantee
- All decoding happens in your browser
- No JWT is ever sent to our server
- Your token never leaves your computer
- No storage or logging of any kind
We cannot see, share, or access your JWTs.
The technology runs locally on your device.
Even production tokens stay completely private.
Frequently Asked Questions (FAQs)
Can this tool decode any JWT?
Yes. Any valid JWT with two dots can be decoded.
The signature is displayed but not verified.
Header and payload are always decoded.
Does this tool verify the signature?
No. Signature verification requires the secret key.
Our tool does not ask for your secret.
Use your application code for verification.
What does “invalid token” mean?
The token does not have two dots.
Or the header/payload is not valid Base64URL.
Check that you copied the full token.
Can I see when a token expires?
Yes. The exp claim is shown in the decoded payload.
Our tool also shows the expiration as a readable date.
Check if the token is still valid.
Are JWTs secure?
JWTs are secure when used correctly.
Always use HTTPS and strong signing algorithms.
Do not store sensitive data in the payload.
Does this tool work on mobile phones?
Yes. The tool works on all smartphones.
Paste tokens from any source into your browser.
Conclusion
JWTs are essential for modern web authentication.
But raw tokens are unreadable and hard to debug.
A JWT decoder reveals the token contents instantly.
Our tool works without uploads or privacy risks.
See the header, payload, and signature in readable JSON.
Debug authentication issues and inspect token claims.