Paste a JWT token on the left to decode it
JWT Decoder
Paste a JSON Web Token to instantly decode and inspect its header, payload, and signature. Check expiration status, view time claims, and copy decoded values. 100% client-side.
What Is a JWT?
A JSON Web Token is a compact, URL-safe token format used to securely transmit information between parties. JWTs are the industry standard for stateless authentication in web applications, APIs, and microservices. A JWT consists of three Base64URL-encoded parts separated by dots: a header that specifies the algorithm and token type, a payload that contains the claims (the actual data), and a signature that verifies the token has not been tampered with.
This free online JWT decoder parses any JWT and displays its contents in a readable, syntax-highlighted format. It automatically detects and highlights the algorithm used, checks token expiration status, and formats time-related claims into human-readable dates. All decoding happens entirely in your browser, making it safe to use with production tokens.
Key Features
- Instant JWT decoding with syntax-highlighted header and payload
- Automatic expiration status detection: shows whether the token is valid or expired
- Human-readable formatting of iat, exp, and nbf time claims
- Algorithm detection and display from the header
- Color-coded JSON output: strings, numbers, booleans, and null values
- One-click copy for header, payload, and signature sections
- Error detection for malformed or invalid JWT tokens
- Clean, two-panel layout: token input on the left, decoded output on the right
- Fullscreen mode for inspecting large tokens
- 100% client-side: no data is sent to any server
How to Use This Tool
- Paste your JWT token into the text area on the left panel.
- The decoded header, payload, and signature appear instantly on the right.
- Check the status badge to see if the token is valid or expired.
- Review time claims displayed in a readable date format.
- Click the copy icon next to any section to copy it to your clipboard.
- Use the Clear button to reset and decode a new token.
JWT Structure Explained
The Header typically contains two fields: 'alg' specifying the signing algorithm like HS256, RS256, or ES256, and 'typ' which is usually 'JWT'. The header tells the server how to verify the token's signature.
The Payload contains the claims: 'iss' for issuer, 'sub' for subject, 'aud' for audience, 'exp' for expiration time, 'iat' for issued-at time, 'nbf' for not-before time, and any custom claims your application needs. Standard claims have defined meanings in the JWT specification.
The Signature is created by encoding the header and payload, then signing them using the algorithm specified in the header. For HMAC algorithms this requires a shared secret, while for RSA and ECDSA algorithms it uses a private key. The signature ensures the token content has not been altered.
Common Use Cases
- Debugging authentication issues by inspecting token contents and expiration
- Verifying that tokens contain the expected claims before deployment
- Checking if a token has expired when troubleshooting 401 errors
- Understanding the algorithm and structure of third-party tokens
- Learning about JWT format and claims for educational purposes
- Quickly inspecting tokens during API development and testing
Security Notes
- This tool only decodes JWTs — it does not verify signatures, as that requires the secret key or public key
- All decoding happens in your browser; no token data is transmitted to any server
- Never share production tokens in insecure environments
- JWTs are encoded, not encrypted — anyone can decode the payload without the secret key
- Always validate token signatures on your server before trusting the claims
- Set short expiration times and use refresh tokens for better security
