JWT Decoder
Decode and inspect JSON Web Tokens to view header, payload, and claims.
Paste a JWT to decode its contents.
JWT Decoder β Decode and Inspect JSON Web Tokens Online for Free
Our free online JWT Decoder lets you paste any JSON Web Token and instantly see its decoded header, payload, and signature. Inspect token claims like issuer, subject, expiration, and audience without writing any code. Everything runs in your browser β your tokens are never sent to any server.
What Is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. When you log in to a website, the server often returns a JWT that your browser includes in subsequent requests to prove your identity.
A JWT consists of three parts separated by dots:
- Header β specifies the token type and signing algorithm (e.g.,
{"alg": "HS256", "typ": "JWT"}) - Payload β contains the claims β statements about the entity (usually the user) and additional data (e.g.,
{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}) - Signature β used to verify the token has not been tampered with
Each part is Base64Url-encoded, making the token compact and URL-safe. For example, a typical JWT looks like eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c.
How to Use This JWT Decoder
- Paste your JWT in the input field. The token should be a string of three Base64Url-encoded parts separated by dots.
- View the decoded header β the algorithm, token type, and other metadata appear instantly.
- View the decoded payload β all claims are displayed in a formatted, easy-to-read table with human-readable timestamps.
- Check token status β the tool automatically checks if the token is expired based on the
expclaim. - Copy any section β click the copy button next to the header or payload to copy the decoded JSON.
All decoding happens locally in your browser using JavaScript's built-in atob function. No data is transmitted over the network.
Key Features
| Feature | Benefit |
|---|---|
| Instant decoding | Header and payload are decoded as you type |
| Formatted JSON output | Pretty-printed JSON with syntax highlighting |
| Timestamp conversion | iat, exp, and nbf claims shown as human-readable dates |
| Expiration check | Automatically detects and highlights expired tokens |
| Claim descriptions | Common claims like sub, iss, and aud are labeled |
| Copy to clipboard | Copy decoded header or payload JSON with one click |
| Zero data transfer | All decoding happens locally in your browser |
Common JWT Claims Reference
| Claim | Name | Description |
|---|---|---|
iss |
Issuer | Identifies the principal that issued the token |
sub |
Subject | Identifies the principal that is the subject of the token |
aud |
Audience | Identifies the recipients the token is intended for |
exp |
Expiration Time | Date and time after which the token is no longer valid |
nbf |
Not Before | Date and time before which the token is not valid |
iat |
Issued At | Date and time at which the token was issued |
jti |
JWT ID | Unique identifier for the token |
name |
Name | Full name of the user |
email |
Email address of the user | |
role |
Role | User role or permission level |
scope |
Scope | Granted permissions or scopes |
For encoding data to include in URLs, try our URL Encoder/Decoder. For Base64 encoding, use the Base64 Encoder/Decoder.
Real-World Use Cases
Debugging Authentication Issues
When a user reports that they cannot access a protected resource, the first step is to inspect their JWT. Decode the token to check if it has expired, if the sub claim matches the expected user ID, or if the role claim includes the necessary permissions.
Verifying Token Content During Development
When building or testing an API, you frequently need to verify that the server is issuing tokens with the correct claims. Paste the token into the decoder to quickly verify the payload without writing a test script.
Inspecting Third-Party Tokens
When integrating with OAuth providers like Google, GitHub, or Auth0, you receive JWTs from their authentication flows. Decoding these tokens helps you understand what claims are available and how to map them to your user model.
Learning How JWTs Work
If you are new to JWTs, decoding real tokens is the best way to understand their structure. You can see exactly what information is stored in the header and payload, and how Base64Url encoding works.
Tips for Working with JWTs
- Never store sensitive data in a JWT. The payload is Base64-encoded, not encrypted. Anyone who intercepts the token can read its contents. Use server-side sessions for sensitive data.
- Always use HTTPS. JWTs sent over unencrypted connections can be intercepted and stolen. HTTPS ensures tokens are encrypted in transit.
- Set short expiration times. The shorter the token lifetime, the less damage an attacker can do if they steal it. Use refresh tokens for long-lived sessions.
- Validate the signature server-side. This decoder only reads the token β it does not verify the signature. Always validate the signature on your backend using the signing key.
- Use the
audclaim. Always specify the intended audience to prevent tokens issued for one service from being used by another. - Watch for the
nonealgorithm. Some older JWT libraries accept tokens with"alg": "none", which bypasses signature verification. Always reject such tokens.
Frequently Asked Questions
Is this JWT Decoder free to use?
Yes. The tool is completely free, requires no account, and has no usage limits.
Does this tool send my token to a server?
No. All decoding happens entirely in your browser using JavaScript. Your JWT is never transmitted over the network. It is safe to use with real tokens.
Does this tool verify the JWT signature?
No. This tool decodes the token to display its contents but does not verify the signature. Signature verification requires the secret key or public key, which should never be shared. Always verify signatures on your backend.
What JWT algorithms are supported?
The decoder works with any JWT regardless of the signing algorithm (HS256, RS256, ES256, etc.). Since it only decodes the Base64Url-encoded parts, the algorithm does not matter for decoding.
What happens if I paste an invalid JWT?
The tool will display an error message indicating that the token format is invalid. A valid JWT must contain exactly three Base64Url-encoded parts separated by dots.
Can I decode refresh tokens or opaque tokens?
This tool only works with JWT-format tokens (three dot-separated Base64Url parts). Opaque tokens (random strings used as database lookups) cannot be decoded because they do not contain encoded information.