JWT Decoder
Decode JSON Web Tokens (JWT) instantly. View the header and payload with pretty-printed JSON and syntax highlighting. Inspect claims like iss, sub, exp, and iat. No signature verification - decode only for debugging and inspection.
Decode and inspect JSON Web Tokens (JWT) instantly with our free decoder. Paste any JWT to view the header and payload with pretty-printed JSON and syntax highlighting. See all claims including iss,sub,exp, and custom claims. This tool does not verify signatures - it's designed for debugging and inspection only. 100% client-side processing means your tokens never leave your browser.
Enter a JWT token to decode
100% Client-Side Processing
All JWT decoding happens directly in your browser. Your tokens are never sent to any server, stored, or logged. This tool works completely offline after the page loads.
Decode Only - No Signature Verification
This tool only decodes and displays JWT contents. It does not verify the signature. Anyone can create a JWT with any payload. Always verify tokens server-side before trusting their contents.
How to Use the JWT Decoder
- Paste your JWT into the input textarea. The token should have three parts separated by dots (header.payload.signature).
- View the decoded header showing the algorithm (alg) and token type (typ).
- Inspect the payload with all claims. Timestamps like exp, iat, and nbf are automatically converted to readable dates.
- Copy individual values from the claims table, or copy all decoded JSON at once.
- Check warnings for expired tokens or tokens not yet valid.
JWT Structure Explained
A JSON Web Token consists of three Base64URL-encoded parts separated by dots:
| Part | Contains | Example Content |
|---|---|---|
| Header | Algorithm & token type | {"alg": "HS256", "typ": "JWT"} |
| Payload | Claims (user data, expiration, etc.) | {"sub": "123", "name": "John"} |
| Signature | Cryptographic signature | HMACSHA256(header + payload, secret) |
Common JWT Claims
issIssuer
Who issued the token (e.g., auth server URL)
subSubject
Who the token is about (e.g., user ID)
audAudience
Intended recipient (e.g., API URL)
expExpiration
When the token expires (Unix timestamp)
nbfNot Before
Token not valid before this time
iatIssued At
When the token was issued
Related Tools
Need to format JSON data? Try our JSON Formatter & Viewer. Working with Base64 encoding? Use our Base64 Encoder/Decoder.
Frequently Asked Questions
What is a JWT and how does it work?βΌ
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It's commonly used for authentication - after logging in, a server issues a JWT that the client stores and sends with subsequent requests. The token contains encoded JSON data (claims) and a cryptographic signature to verify its authenticity.
Why doesn't this tool verify signatures?βΌ
Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which should never be exposed to client-side code. This tool is designed for debugging and inspection only. In production, always verify JWT signatures on your backend server using the appropriate keys.
Is it safe to paste my JWT here?βΌ
Yes, this tool runs entirely in your browser. Your JWT is never sent to any server. However, be cautious about sharing JWTs in general - they often contain sensitive information and can be used to impersonate users if not expired. For testing, consider using expired tokens or tokens from development environments.
What do the timestamp claims mean?βΌ
JWT timestamps are Unix timestamps (seconds since Jan 1, 1970). exp is when the token expires and should no longer be accepted. iat is when it was issued.nbf (not before) means the token shouldn't be accepted before this time. This tool automatically converts these to human-readable dates.
Can anyone read the contents of a JWT?βΌ
Yes! JWTs are encoded, not encrypted. Anyone with the token can decode and read its contents. The signature only ensures the token hasn't been tampered with - it doesn't hide the data. Never put sensitive information like passwords in a JWT. If you need encrypted tokens, consider JWE (JSON Web Encryption) instead.
Frequently Asked Questions
β Is this tool free?
Yes! All our tools are completely free. No registration, no hidden charges, no ads. Just open and use.
π Is my data safe?
Absolutely. All calculations happen in your browser. We don't store, send, or track any of your data. Everything is processed locally on your device.
π± Can I use this on mobile?
Yes! All our tools are fully responsive and work perfectly on smartphones, tablets, and desktops.
π Do I need internet?
No! Once the page loads, you can use the tool completely offline. All calculations happen in your browser without any server connection.