About

JWT Decoder

Decode and inspect JSON Web Tokens

JWT Token0 chars

Enter JWT token to decode

About This Tool

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and authorization in web applications. A JWT consists of three parts separated by dots: the header (algorithm and token type), the payload (claims such as user ID, roles, and expiration), and the signature (used to verify the token's integrity). Our free online JWT decoder lets you inspect and decode JWT tokens instantly. Paste any JWT string and view the decoded header and payload in a formatted, readable view. The tool also displays token metadata such as the algorithm, issuer, expiration time, and issued-at time, making it invaluable for debugging authentication flows and verifying token claims.

How to Use

  1. Paste your JWT token into the input field. The token is typically a long string with three segments separated by dots, found in Authorization headers as "Bearer <token>" or in cookies.
  2. The decoded header and payload will be displayed immediately in a formatted JSON view. Each claim in the payload is labeled and explained, including standard claims like sub, iat, exp, and iss.
  3. Check the token's expiration status. The tool compares the exp (expiration) claim against the current time and clearly indicates whether the token is expired, valid, or has no expiration set.
  4. Review the algorithm used in the header. Be cautious of tokens using the "none" algorithm, which indicates no signature and is a known security vulnerability.

Frequently Asked Questions

This tool decodes and displays the JWT header and payload but does not verify cryptographic signatures. Signature verification requires the secret key or public key used to sign the token, which should never be shared with a client-side tool. For signature verification, use your server-side code with libraries like jsonwebtoken (Node.js), PyJWT (Python), or similar.
Yes. JWT decoding is a read-only operation that simply base64-decodes the header and payload segments. The token data is processed entirely in your browser and is never sent to any server. However, be mindful that JWT payloads are not encrypted (only encoded), so never put sensitive information like passwords or credit card numbers in a JWT payload.
Common claims include: iss (issuer) identifies who created the token, sub (subject) identifies the user, aud (audience) specifies the intended recipient, exp (expiration time) is the Unix timestamp after which the token is invalid, iat (issued at) is when the token was created, and jti (JWT ID) is a unique identifier for the token. Understanding these claims helps you debug authentication issues.
No, this tool only decodes and displays the contents of JWT tokens. Signature verification requires the secret key or public key used to sign the token. For production applications, always verify JWT signatures on the server side using a proper JWT library.

Examples

Debug Authentication Token

Inspect a Bearer token from your API to check claims and expiration

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Check Token Expiration

Verify if a token is still valid by checking the exp claim

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzkwMjJ9.4Adcj0Q1hGJqRb6a8

Inspect User Claims

View user roles, permissions, and metadata stored in the token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI0NTYiLCJyb2xlIjoiYWRtaW4iLCJwZXJtaXNzaW9ucyI6WyJyZWFkIiwid3JpdGUiXX0.signature

Related Tools

Base64 Encoder/Decoder

Encode or decode Base64 strings

JSON Formatter

Format and validate JSON data

Timestamp Converter

Convert between Unix timestamps and dates

Hash Generator

Generate MD5, SHA-1, SHA-256 hashes

Advertisement