Free JWT Decoder Online
Decode JSON Web Tokens (JWT) to inspect the header and payload. Instantly see the claims inside any JWT without needing the secret key.
A JSON Web Token (JWT) is a compact, URL-safe token that encodes claims as a JSON object and signs them so the receiver can verify they have not been tampered with. JWTs have three parts separated by dots: the header (which describes the signing algorithm), the payload (which contains the claims, such as user ID, roles, and expiration time), and the signature. The header and payload are Base64url-encoded, not encrypted, which means anyone with the token can read the claims without the secret key. This tool decodes the header and payload of any JWT so you can inspect what is inside.
JWT Decoder
How to use this jwt decoder
- Paste a JWT into the input box. It should look like three base64-encoded strings separated by dots.
- The tool auto-decodes as you type, showing the header and payload as formatted JSON.
- The header shows the algorithm (alg) and token type (typ). The payload contains claims including 'sub', 'iat', and 'exp'.
- If the token is expired, a warning banner is shown.
Common use cases
- Inspecting a JWT returned by an authentication API to verify it contains the expected claims
- Debugging an authorization problem by checking what roles or permissions a token actually contains
- Checking the expiration time of a token to understand why a session ended unexpectedly
- Verifying that a token uses the expected signing algorithm (HS256, RS256, etc.)
- Learning about the JWT format and understanding what information is embedded in a bearer token
Frequently asked questions
Is a JWT encrypted?
Not by default. Standard JWTs (JWS — JSON Web Signature) are signed but not encrypted. The payload is Base64url-encoded, which anyone can decode. Do not put sensitive information like passwords in a JWT payload unless you also encrypt the token (JWE).
Can this tool verify a JWT signature?
No. Verifying a signature requires the secret key (for HMAC algorithms) or the public key (for RSA/EC algorithms). This tool only decodes the header and payload, which does not require any key.
What is the difference between 'iat', 'exp', and 'nbf'?
'iat' (issued at) is when the token was created. 'exp' (expiration) is when it expires. 'nbf' (not before) is a timestamp before which the token should not be accepted. All three are standard JWT claims defined in RFC 7519.
Can I create a JWT with this tool?
No — this tool only decodes existing tokens. Creating a JWT requires a signing key, which should never be shared with a browser tool. Use your server-side JWT library to issue tokens.