JWT Decoder

Decode and inspect JWT tokens. View header and payload as formatted JSON, check expiration time, and see if the token is expired. All decoding happens in your browser—no tokens are stored or transmitted.

JWT Token

Understanding JWT Tokens

JSON Web Tokens (JWT) are a compact way to represent claims between two parties. A JWT has three parts separated by dots: header, payload, and signature. The header and payload are Base64url-encoded JSON objects. Our decoder parses these so you can inspect the contents without running custom scripts.

Header and Payload

The header usually contains the algorithm (e.g., HS256 or RS256) and token type. The payload holds claims such as sub (subject), exp (expiration), and iat (issued at). The exp claim is a Unix timestamp—we display it in ISO format and indicate whether the token is expired.

Security Note

This tool only decodes the token; it does not verify the signature. Never trust decoded claims without signature verification in a secure environment. Avoid pasting production tokens into unknown tools—this tool runs entirely in your browser, but exercise caution with sensitive data.

Related Tools

Base64 Encoder/Decoder — Encode and decode Base64 strings.
JSON Formatter — Format and validate JSON.
All Free Tools — Developers, calculators, and utilities.

How to Use the JWT Decoder

Paste your JWT token — Copy the full token string (three Base64url-encoded segments separated by dots) into the input field.
View the decoded header — The header section displays the signing algorithm (e.g., HS256, RS256) and token type as formatted JSON.
Inspect the payload — Review all claims including sub, iss, aud, exp, and any custom claims your application has set.
Check expiration status — The tool automatically converts the exp Unix timestamp to a human-readable date and indicates whether the token is currently valid or expired.
Debug authentication issues — Compare decoded claims against expected values to diagnose 401/403 errors in your API responses.

Common Use Cases

API debugging — Quickly inspect tokens returned by your auth server to verify claims, scopes, and expiration times match expectations.
OAuth2 flow troubleshooting — Decode access tokens and ID tokens during OAuth2/OIDC integration to confirm issuer, audience, and scope values.
Session management — Verify that refresh tokens carry the correct metadata and that short-lived access tokens expire on schedule.
Security audits — Review tokens for sensitive data exposure—JWTs are encoded but not encrypted, so any data in the payload is readable by anyone with the token.
Mobile app development — Inspect tokens stored on device to debug authentication flows between your mobile client and backend API.

Frequently Asked Questions

Is it safe to paste my JWT token into this tool?

Yes. This tool runs entirely in your browser using JavaScript. No token data is sent to any server. However, avoid pasting production tokens with sensitive claims into any tool you do not control. Use our Base64 Encoder/Decoder if you need to manually inspect individual token segments.

What is the difference between JWT encoding and encryption?

JWT tokens are Base64url-encoded, meaning anyone can decode and read the header and payload. Encoding is not encryption—it provides no confidentiality. If you need encrypted tokens, use JWE (JSON Web Encryption). For hashing and integrity checks, try our Hash Generator.

Why does my JWT show as expired even though I just created it?

This typically happens due to clock skew between your server and client, or because the exp claim was set with a very short TTL. Verify that your server's system clock is synchronized and that token lifetimes match your application requirements. Our web development team can help design robust authentication architectures.

Related Resources

Understanding JWT Tokens

Header and Payload

Security Note

Related Tools

Base64 Encoder/Decoder — Encode and decode Base64 strings.

JSON Formatter — Format and validate JSON.

All Free Tools — Developers, calculators, and utilities.

How to Use the JWT Decoder

Paste your JWT token — Copy the full token string (three Base64url-encoded segments separated by dots) into the input field.

View the decoded header — The header section displays the signing algorithm (e.g., HS256, RS256) and token type as formatted JSON.

Inspect the payload — Review all claims including sub, iss, aud, exp, and any custom claims your application has set.

Check expiration status — The tool automatically converts the exp Unix timestamp to a human-readable date and indicates whether the token is currently valid or expired.

Debug authentication issues — Compare decoded claims against expected values to diagnose 401/403 errors in your API responses.

Common Use Cases

API debugging — Quickly inspect tokens returned by your auth server to verify claims, scopes, and expiration times match expectations.

OAuth2 flow troubleshooting — Decode access tokens and ID tokens during OAuth2/OIDC integration to confirm issuer, audience, and scope values.

Session management — Verify that refresh tokens carry the correct metadata and that short-lived access tokens expire on schedule.

Security audits — Review tokens for sensitive data exposure—JWTs are encoded but not encrypted, so any data in the payload is readable by anyone with the token.

Mobile app development — Inspect tokens stored on device to debug authentication flows between your mobile client and backend API.

Frequently Asked Questions

Is it safe to paste my JWT token into this tool?

What is the difference between JWT encoding and encryption?

Why does my JWT show as expired even though I just created it?