JWT Decoder
Decode and inspect JSON Web Tokens (JWT) instantly. View header, payload, and expiration.
What is JWT Decoder?
JWT Decoder is a free online tool that decodes JSON Web Tokens (JWT) and displays the header and payload in a human-readable JSON format. It automatically detects and shows the token's expiration status by reading the exp claim, helping developers quickly determine if a token is still valid. All decoding happens entirely in your browser, so your sensitive tokens are never transmitted over the network.
How to Use JWT Decoder
- Paste your complete JWT token (all three Base64-encoded parts separated by dots) into the input field
- Click the Decode JWT button to parse the token structure
- Review the decoded header to see the signing algorithm and token type
- Examine the payload to view all claims including subject, issuer, and custom data
- Check the expiration status indicator to see whether the token is currently valid or expired
Tips & Best Practices
Never Share Production Tokens
Even though this tool processes tokens locally, avoid sharing JWT tokens from production environments in screenshots or logs. Tokens may contain sensitive user information in their payload, and an unexpired token could be used for unauthorized access.
Understand the Three Parts
A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims and data), and the signature (verification hash). This tool decodes the first two parts which are not encrypted, only encoded.
Check Expiration Regularly
The exp claim contains the token's expiration time as a Unix timestamp. When debugging authentication issues, always check whether the token has expired first, as this is the most common cause of 401 Unauthorized errors in API calls.
Look for Custom Claims
Beyond standard claims like iss, sub, and exp, many applications add custom claims such as user roles, permissions, or tenant IDs. Understanding these custom claims can help you debug authorization and access control issues more effectively.
Common Use Cases
API Debugging
When API requests return authentication errors, decode the JWT from the Authorization header to check if the token is expired, issued for the wrong audience, or missing required claims that the API expects.
OAuth Flow Troubleshooting
During OAuth 2.0 and OpenID Connect implementation, inspect ID tokens and access tokens to verify that the identity provider is returning the correct scopes, claims, and audience values in the token payload.
Security Auditing
Review JWT tokens to ensure they do not contain excessive or sensitive information in their payload. Since JWT payloads are only Base64-encoded (not encrypted), any data in the payload can be read by anyone who intercepts the token.
FAQ
Is it safe to paste my JWT here?
Yes. All decoding happens locally in your browser. No data is sent to any server.
Can this tool verify JWT signatures?
This tool decodes and displays JWT contents. Signature verification requires the secret key, which is not needed for inspection.
What is the difference between JWS and JWE?
JWS (JSON Web Signature) tokens have a signed but readable payload, which is what most people mean by JWT. JWE (JSON Web Encryption) tokens have an encrypted payload that cannot be read without the decryption key. This tool works with JWS tokens, which are by far the most common type in practice.
Why can I read the payload without the secret key?
JWT payloads are Base64URL-encoded, not encrypted. The signature only ensures the token has not been tampered with; it does not hide the contents. This is by design, so never store truly secret information in a JWT payload unless you use JWE encryption.
What are common JWT claims?
Standard claims include iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications frequently add custom claims for roles, permissions, and other application-specific data.