JWT Decoder Online
Paste a JSON Web Token to decode and inspect its header, payload, claims, expiration, and signature sections in your browser. Decoding does not verify the signature or upload the token.
Header
Payload
Signature
How to Use
- Paste your JWT token into the input field.
- Click Decode JWT.
- View the decoded header, payload, and signature.
- Check expiration and issued-at times in the payload section.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts separated by dots: Header, Payload, and Signature.
The header typically contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). The payload contains the claims: data about the user and additional metadata. The signature is used to verify the token has not been tampered with.
Common JWT Claims
| Claim | Meaning | Why it matters |
|---|---|---|
| iss | Issuer | Identifies the system that issued the token. |
| sub | Subject | Usually identifies the user, account, or entity the token represents. |
| aud | Audience | Shows which application or API the token is intended for. |
| exp | Expiration time | A token should not be accepted after this Unix timestamp. |
| iat | Issued at | Helps you understand when the token was created. |
Security Notes
Decode does not mean verify
This page decodes the readable JSON parts of a token. It does not prove that the token is authentic or that the signature is valid.
Avoid sharing live tokens
Even though decoding runs locally, access tokens and ID tokens can contain sensitive claims. Treat production tokens like credentials.
Features
Instant Decoding
Decodes the header and payload from Base64Url and displays them as formatted JSON.
Expiration Check
Automatically detects and displays expiration time, issued-at time, and whether the token is expired.
Client-Side Only
All decoding happens in your browser. Your token is never sent to any server.
Frequently Asked Questions
Can I verify the signature?
This tool decodes and displays the signature but does not verify it. Signature verification requires the secret key or public key, which you should never paste into online tools.
Is it safe to paste my token here?
The decoding happens entirely in your browser. No data is sent to any server. However, avoid pasting production tokens with sensitive claims.
Why are JWT parts separated by dots?
A standard signed JWT has three Base64Url-encoded parts: header, payload, and signature. The dots separate those parts so applications can parse them quickly.
What does an expired token mean?
If the payload contains an exp claim in the past, a correctly implemented API should reject the token even if the payload can still be decoded.
Related Guides
MoreRelated Tools
JSON Formatter & Validator
Format, validate, minify, and beautify JSON data with syntax error detection.
Base64 Encoder & Decoder
Encode text to Base64 or decode Base64 strings back to readable text instantly.
URL Encoder & Decoder
Encode or decode URL strings for safe web transmission using standard percent-encoding.
SHA-256 Hash Generator
Generate SHA-256, SHA-512, and SHA-1 hashes from text locally using the Web Crypto API.
Decode JWT Tokens for Free
Inspect JSON Web Tokens instantly. No sign-up, no limits, no data collection.
Explore All Tools