Free Online JWT Decoder
Paste any JSON Web Token to instantly decode its header and payload, inspect all claims, and check whether the token is expired. Runs entirely in your browser — your token is never sent anywhere.
What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64url-encoded parts separated by dots:
- Header — describes the token type and signing algorithm (e.g.
HS256,RS256) - Payload — contains claims: statements about the user and additional metadata
- Signature — cryptographically signs the header and payload to prevent tampering
Common JWT Claims
| Claim | Full Name | Description |
|---|---|---|
iss | Issuer | Who issued the token (e.g. your auth server) |
sub | Subject | Who the token is about (usually a user ID) |
aud | Audience | Who the token is intended for |
exp | Expiration | Unix timestamp when the token expires |
iat | Issued At | Unix timestamp when the token was issued |
nbf | Not Before | Unix timestamp before which the token is invalid |
jti | JWT ID | Unique identifier for replay prevention |
Frequently Asked Questions
Is decoding a JWT the same as verifying it?
No. Decoding simply Base64url-decodes the header and payload so you can read the contents — it requires no key and proves nothing about authenticity. Verification checks the cryptographic signature using a secret (HMAC) or public key (RSA/EC) to confirm the token was issued by a trusted party and has not been tampered with.
This tool only decodes. Never trust a decoded JWT unless your server has verified its signature.
Is it safe to paste my JWT here?
All decoding happens locally in your browser using JavaScript — no data is ever sent to a server. That said, avoid pasting production tokens into any online tool as a best practice. Use this tool with test/dev tokens.
What algorithms does JWT support?
JWTs commonly use HS256 (HMAC-SHA256, symmetric), RS256 (RSA-SHA256, asymmetric), and ES256 (ECDSA-SHA256, asymmetric). The algorithm is specified in the header's alg field. Use asymmetric algorithms (RS256, ES256) for public-facing APIs where multiple services need to verify tokens without sharing a secret.
Why is my token showing as expired?
JWT expiry is determined by the exp claim, which is a Unix timestamp (seconds). If the current time exceeds this value, the token is considered expired. Check the iat (issued at) and exp fields in the decoded payload — this tool shows both the raw timestamp and a human-readable date for easy debugging.