JWT Decoder

Decode and inspect JWT tokens

Load an example to see the decoder in action. Sample tokens are signed with public test keys and are safe to inspect.

Paste a JWT token above and click Decode.

What is JWT Decoder?

The JWT Decoder is a free online tool that decodes JSON Web Tokens and shows you exactly what is inside them. A JWT is made of three Base64URL-encoded parts — header, payload, and signature — separated by dots, and on its own it looks like an unreadable string. This tool splits the token, decodes the header and payload into formatted JSON, and lists every claim such as the issuer (iss), subject (sub), and expiry (exp). Beyond the raw output, it renders the time claims (iat, nbf, exp) as both absolute dates and relative phrases like "expires in" or "expired N ago", shows an at-a-glance status banner — valid, expired, or not yet valid — and keeps a live countdown running. A standard-claims reference panel automatically explains each recognized registered claim found in your payload, and an algorithm panel describes the alg in the header (HS256, RS256, ES256, PS256, EdDSA, none, and their variants). One-click sample tokens let you explore the tool instantly. All decoding happens in your browser, so your tokens stay private.

How to use JWT Decoder?

Inspecting a token takes only a few seconds and happens entirely in your browser:

  1. 1 Paste a JSON Web Token into the input field, or click one of the sample tokens (HS256, RS256, OAuth with scopes, or an expired token) to load a ready-made example.
  2. 2 Click Decode. The header and payload are decoded automatically and displayed as formatted, color-coded JSON so you can read each section clearly.
  3. 3 Read the status banner and time claims. The tool tells you whether the token is valid, expired, or not yet active, and renders iat, nbf, and exp as readable dates with relative descriptions and a live countdown.
  4. 4 Use the reference panels. The standard-claims panel explains every recognized claim in your payload in plain language, while the algorithm panel describes the signing algorithm declared in the header.

Why use this tool?

JWTs are everywhere in modern authentication, yet their encoded form gives no hint of what they contain. Being able to read a token quickly is invaluable when debugging logins, API authorization, or single sign-on flows. You can confirm the correct user, scopes, and roles are present, spot an expired token causing a failed request, and verify the issuer and audience match your configuration. The human-readable time claims remove the guesswork of converting Unix timestamps, the claims-reference panel acts as a built-in cheat sheet, and the algorithm panel helps you confirm a token uses a strong, expected signing method rather than a weak or "none" algorithm. Because the JWT Decoder runs entirely in your browser, your tokens — which often grant access to real accounts — are never sent to any server. It is a fast, private way to understand exactly what an authentication token is carrying, with no signup required.

Examples

Debugging a failed login

Paste a token from a failing request and the status banner instantly shows whether the exp claim has passed, revealing that an expired token is the cause of the rejection.

Verifying user claims

Decode a token to confirm the sub and role claims match the logged-in user, using the reference panel to confirm what each claim is meant to hold.

Checking the signing algorithm

Inspect the alg in the header and read the algorithm panel to confirm a token uses a strong method such as RS256 or ES256, not the unsafe none algorithm.

Frequently Asked Questions

Is the JWT Decoder free to use?

Yes. The JWT Decoder is completely free, with no signup, no limits, and no account required. You can decode as many tokens as you like.

Are my tokens sent to a server?

No. All decoding happens entirely in your browser, so your tokens are never transmitted or stored anywhere. This keeps sensitive access tokens private.

Does the tool verify the token signature?

No. The decoder reads and displays the header and payload, explains the claims, and describes the signing algorithm, but it does not validate the cryptographic signature, which requires the secret or public key. Always verify signatures on your server.

What do claims like iss, sub, and exp mean?

These are standard registered claims: iss is the issuer, sub is the subject (usually the user), and exp is the expiration time. The standard-claims reference panel explains every recognized claim found in your token automatically.

What are the sample tokens for?

The sample tokens let you explore the decoder without pasting a real token. They cover a basic HS256 token, an RS256 token with profile claims, an OAuth token with scopes, and an already-expired token so you can see how each panel behaves.

Why does my token show as expired?

The tool compares the exp timestamp to the current time. If that moment has already passed, the status banner marks the token as expired — and most servers will reject it until a new one is issued.

Related Tools

Explore more free tools you might find useful