JWT Decoder
Decode and inspect JSON Web Tokens. Header, payload, and claims are decoded client-side: your token never leaves the browser.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjk5OTk5OTk5OTl9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cHS256JWT{
"alg": "HS256",
"typ": "JWT"
}SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cBase64url-encoded signature using HS256. Signature verification requires the secret key and cannot be performed in-browser without it.
| Claim | Value |
|---|---|
subSubject | 1234567890 |
name | John Doe |
iatIssued At | Jan 18, 2018, 01:30:22 AM 3098d ago |
expExpiration | Nov 20, 2286, 05:46:39 PM in 95093d |
Raw JSON
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 9999999999
}Free online JWT decoder: inspect JSON Web Token claims instantly
JWT tokens are ubiquitous in modern authentication: used by OAuth 2.0, OpenID Connect, and most REST API authentication schemes. When debugging auth flows, you often need to quickly inspect what claims a token contains, whether it has expired, and which algorithm was used to sign it. This tool decodes both the header and payload from any JWT in seconds.
The claims table presents standard fields like iss, sub, exp, and iat in human-readable form with relative timestamps and an expiry indicator. The colour-coded token view makes it easy to visually identify each segment. Because everything runs in your browser, sensitive production tokens remain private: nothing is logged or transmitted.
Step-by-step guide
- 1Paste your JWT token
Copy a JWT token from your application, API response, browser dev tools, or the demo button and paste it into the input field. - 2View the colour-coded preview
The token is split into header (red), payload (purple), and signature (cyan) segments for easy identification. - 3Inspect the header
The Header section shows the algorithm (alg) and token type (typ) decoded from the first Base64url segment. - 4Read the payload claims
The Payload section shows all claims in a table with human-readable dates for iat, exp, and nbf, plus expiry status. - 5Check expiry and algorithm
The info bar at the top shows the algorithm, token type, when the token was issued, and whether it is currently valid or expired.
Related Tools
JSON Formatter
Validate, format, minify, and explore JSON. Syntax highlighting, error detection, and tree view.
SQL Formatter
Format SQL queries with keyword casing, indentation, and clause alignment.
Regex Tester
Test regular expressions with live matching, group capture, flags, and match highlighting.
Base64
Encode and decode Base64 strings and files. Supports text, binary, and data URLs.
Frequently Asked Questions
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded segments separated by dots: a header, a payload of claims, and a cryptographic signature.
- Is it safe to paste my JWT here?
- Yes. Decoding is performed entirely in your browser. The token is never transmitted to any server. That said, treat production tokens with sensitive claims as confidential and avoid sharing them unnecessarily.
- Can this tool verify the JWT signature?
- No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/EC algorithms). This tool decodes the header and payload only: verification must be done server-side with the appropriate key.
- What are standard JWT claims?
- Standard registered claims include iss (Issuer), sub (Subject), aud (Audience), exp (Expiration Time), iat (Issued At), nbf (Not Before), and jti (JWT ID). Custom claims can be added alongside these.
- What does the expiry status mean?
- The tool compares the exp claim (a Unix timestamp) with the current browser time. If exp is in the past, the token is shown as Expired with a red indicator. If exp is in the future, it shows Valid with a green indicator.
- What algorithms do JWTs use?
- Common algorithms are HS256 (HMAC-SHA256), HS384, HS512 for symmetric signing; RS256, RS384, RS512 for RSA; and ES256, ES384, ES512 for Elliptic Curve. The algorithm is declared in the header's alg field.
- Can I decode a JWT that uses none as the algorithm?
- Yes. The decoder will show the header and payload. However, tokens with alg: none have no signature and should never be trusted in production applications: any claims could have been forged.
- How do I get the JWT from my browser?
- JWTs are typically stored in localStorage, sessionStorage, or as HTTP-only cookies. Open browser DevTools, go to Application > Storage to find localStorage/sessionStorage tokens, or check the Network tab for Authorization: Bearer headers in API requests.
- What does 'JWT token expired' mean and how do I fix it?
- An expired JWT has an exp claim (expiration time) set to a past Unix timestamp. The server rejects it to prevent indefinite use of old credentials. Fix it by refreshing the token through your app's login or token-refresh flow: a new token with a future exp will be issued.
- Can I use this JWT decoder to debug authentication issues?
- Yes. Paste the JWT from your request headers or browser storage and immediately see all claims, the algorithm, issue time, and expiry status. This quickly confirms whether the token is expired, missing expected claims like sub or aud, or was signed with an unexpected algorithm.
AlteredIdea vs alternatives
vs server-side tools: Everything runs in your browser: your data never leaves your device.
vs VS Code extensions: No install needed. Works instantly in any browser.
vs paid tools: Completely free, no account required.