Quick answer: A JWT (JSON Web Token, RFC 7519) is a dot-separated string with three parts: header.payload.signature. This free decoder splits a pasted token, Base64url-decodes the header and payload, and displays them as formatted JSON — plus converts the `exp` claim to a human-readable date and flags expiration. Decoding happens 100% in your browser. This tooldecodes — it does not verify signatures (verification requires the issuer's secret or public key and must happen server-side).

JWT Decoder

Decode and inspect JWT tokens. View header and payload as formatted JSON, check expiration, and see algorithm. All decoding happens in your browser — no tokens are stored or transmitted.

JWT Token

Understanding JWT Tokens

JSON Web Tokens (RFC 7519) are a compact, URL-safe way to represent signed claims between two parties. A JWT has three parts separated by dots: header, payload, and signature. The header and payload are Base64url-encoded JSON objects; the signature is a cryptographic signature over those two parts using the algorithm named in the header. This decoder parses the encoded parts so you can inspect the contents without running custom scripts.

Header and Payload

The header usually contains the algorithm (e.g., HS256 or RS256), token type (typ: JWT), and optionally a key ID (kid). The payload holds claims such as sub (subject), exp (expiration), iat (issued at), iss (issuer), and aud (audience). The exp claim is a Unix timestamp in seconds — the decoder displays it in ISO format and indicates whether the token is expired.

Security Note

This tool only decodes the token; it does not verify the signature. Never trust decoded claims without signature verification in a secure environment. Avoid pasting production tokens into unknown tools — this decoder runs entirely in your browser, but caution is warranted with sensitive data.

When NOT to Use This Tool

A browser-based JWT decoder is useful for quick inspection and debugging. It is the wrong tool when:

You need to verify a signature. Verification requires the issuer's secret (HMAC) or public key (RSA/ECDSA/Ed25519) and must run in a trusted environment. Use jsonwebtoken, jose, or PyJWT — never a web tool.
You want to decode opaque tokens. Some access tokens are random identifiers, not JWTs. If the token has no dots or is not three Base64url-encoded parts, it is likely opaque and can only be introspected via the issuer's /introspect endpoint (RFC 7662).
Your token contains sensitive production claims. JWT payloads are readable by anyone with the token. Paste a staging or test token, not a real one — especially avoid pasting tokens with PII, API keys, or tenant identifiers.
You need to decrypt a JWE. JWEs (JSON Web Encryption) are not JWTs — they have five dot-separated parts and an encrypted payload. Decryption requires the recipient's private key and cannot be done client-side without it.
You need batch or automated decoding. For CI pipelines, log parsing, or audit tooling, use jwt-cli, jose CLI, or a language-specific library — not a web page.

Related Tools

Base64 Encoder/Decoder — Manually decode individual JWT segments.
JSON Formatter — Pretty-print the decoded payload for easier scanning.
Hash Generator — SHA-256, HMAC, and related primitives used by JWT signatures.
All Free Tools — Developers, calculators, and utilities.

How to Use the JWT Decoder

Paste your JWT token — Copy the full token string (three Base64url-encoded segments separated by dots) into the input field.
View the decoded header — The header section displays the signing algorithm (e.g., HS256, RS256) and token type as formatted JSON.
Inspect the payload — Review all claims including sub, iss, aud, exp, and any custom claims your application has set.
Check expiration status — The tool automatically converts the exp Unix timestamp to a human-readable date and indicates whether the token is currently valid or expired.
Debug authentication issues — Compare decoded claims against expected values to diagnose 401/403 errors in your API responses.

Common Use Cases

API debugging — Quickly inspect tokens returned by your auth server to verify claims, scopes, and expiration times match expectations.
OAuth2 / OIDC flow troubleshooting — Decode access tokens and ID tokens during integration to confirm issuer, audience, and scope values.
Session management — Verify that refresh tokens carry the correct metadata and that short-lived access tokens expire on schedule.
Security audits — Review tokens for sensitive data exposure — JWTs are encoded but not encrypted, so any data in the payload is readable by anyone with the token.
Mobile app development — Inspect tokens stored on device to debug authentication flows between your mobile client and backend API.

Frequently Asked Questions

Is it safe to paste my JWT token into this tool?

Decoding is done entirely in your browser via client-side JavaScript — no token data is sent to any server or logged. That said, never paste a production access token into a tool you do not control. For production debugging, mint a throwaway token from a test account or use the tool in an incognito session after revoking the pasted token.

What is the difference between JWT encoding and encryption?

JWT tokens are Base64url-encoded — not encrypted. Anyone with the token can decode the header and payload and read every claim in plain text. The signature protects integrity (preventing tampering) but not confidentiality. If you need encrypted tokens, use JWE (JSON Web Encryption, RFC 7516), which wraps a JWT inside an encrypted envelope.

Why does my JWT show as expired even though I just created it?

This is almost always clock skew between the issuing server and the machine running the decoder, or a very short `exp` TTL. Common causes: the issuer's system clock is off, `iat` is set in the future, the `exp` is expressed in milliseconds instead of seconds (JWT uses seconds since Unix epoch — RFC 7519 §2), or a proxy is caching an old token.

Does this tool verify the signature?

No. This is a decoder, not a verifier. Verifying a JWT signature requires the issuer's secret (HMAC) or public key (RSA/ECDSA) and must be done in a trusted environment, never in a shared tool. Use your framework's JWT library (`jsonwebtoken` in Node, `PyJWT` in Python, `jose4j` in Java) for verification.

What algorithms are supported?

Any RFC 7518 algorithm is decoded, because decoding does not depend on the algorithm — the tool reads the header's `alg` field and shows what the issuer claimed. Common values: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA P-256), EdDSA (Ed25519). "none" is supported but flagged as unsafe per current IETF guidance.

Can I use this tool for ID tokens (OIDC) as well as access tokens?

Yes. OIDC ID tokens are JWTs with additional standardized claims (`iss`, `aud`, `sub`, `nonce`, `at_hash`, etc.). The decoder shows all claims regardless of type. For access tokens, you may see opaque reference tokens instead of JWTs — those cannot be decoded because they are random identifiers, not encoded structures.

What does the kid (key ID) header mean?

The `kid` header identifies which key in the issuer's JWKS (JSON Web Key Set) was used to sign the token. During verification, your library fetches the JWKS (usually from `{issuer}/.well-known/jwks.json`) and picks the matching `kid`. If `kid` is missing or does not match any key in the set, verification fails.

Related Resources