JWT Decoder Online

Paste a JSON Web Token to decode and inspect its header, payload, claims, expiration, and signature sections in your browser. Decoding does not verify the signature or upload the token.

How to Use

  1. Paste your JWT token into the input field.
  2. Click Decode JWT.
  3. View the decoded header, payload, and signature.
  4. Check expiration and issued-at times in the payload section.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts separated by dots: Header, Payload, and Signature.

The header typically contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). The payload contains the claims: data about the user and additional metadata. The signature is used to verify the token has not been tampered with.

Common JWT Claims

ClaimMeaningWhy it matters
issIssuerIdentifies the system that issued the token.
subSubjectUsually identifies the user, account, or entity the token represents.
audAudienceShows which application or API the token is intended for.
expExpiration timeA token should not be accepted after this Unix timestamp.
iatIssued atHelps you understand when the token was created.

Security Notes

Decode does not mean verify

This page decodes the readable JSON parts of a token. It does not prove that the token is authentic or that the signature is valid.

Avoid sharing live tokens

Even though decoding runs locally, access tokens and ID tokens can contain sensitive claims. Treat production tokens like credentials.

Features

Instant Decoding

Decodes the header and payload from Base64Url and displays them as formatted JSON.

Expiration Check

Automatically detects and displays expiration time, issued-at time, and whether the token is expired.

Client-Side Only

All decoding happens in your browser. Your token is never sent to any server.

Frequently Asked Questions

Can I verify the signature?

This tool decodes and displays the signature but does not verify it. Signature verification requires the secret key or public key, which you should never paste into online tools.

Is it safe to paste my token here?

The decoding happens entirely in your browser. No data is sent to any server. However, avoid pasting production tokens with sensitive claims.

Why are JWT parts separated by dots?

A standard signed JWT has three Base64Url-encoded parts: header, payload, and signature. The dots separate those parts so applications can parse them quickly.

What does an expired token mean?

If the payload contains an exp claim in the past, a correctly implemented API should reject the token even if the payload can still be decoded.

Decode JWT Tokens for Free

Inspect JSON Web Tokens instantly. No sign-up, no limits, no data collection.

Explore All Tools