JWT Decoder
Decode and inspect JSON Web Tokens — view header, payload, claims, and expiry status instantly in your browser.
Paste any JWT to decode the header and payload instantly. Timestamps are converted to human-readable dates. Expiry status is shown for tokens with an exp claim.
All decoding runs in your browser — no token data is sent to any server.
What is JWT Decoder?
JWT Decoder splits any JSON Web Token into its three components — header, payload, and signature — and displays them in a readable format. Timestamp claims (exp, iat, nbf) are automatically converted to human-readable dates. The expiry status shows whether the token is still valid and how much time remains (or how long ago it expired).
All decoding runs entirely in your browser using `atob()` and `JSON.parse()`. No token data is ever sent to a server. The signature is displayed as-is — verification is not performed client-side since it requires the secret key.
Common Use Cases
- Inspecting the claims inside a JWT returned from an OAuth or OIDC provider
- Debugging authentication issues by checking token expiry and audience claims
- Verifying which scopes or roles are embedded in an access token
- Quickly checking the algorithm and key ID (kid) in the token header
- Comparing expected vs actual claim values during API integration
How to Use JWT Decoder
- Paste a JWT token into the text area — decoding happens instantly.
- Review the Header (algorithm, token type) and Payload (claims, user data).
- Check the expiry status badge to see if the token is still valid.
Related Tools
Paste messy JSON and turn it into clean, readable output.
Encode plain text to Base64 or decode Base64 back to readable text.
Generate MD5, SHA-1, SHA-256, and SHA-512 cryptographic hashes for any text instantly.
FAQ
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit claims between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims — data like user ID, roles, and expiry), and a signature (used to verify the token hasn't been tampered with). JWTs are widely used for authentication and authorisation in APIs and single sign-on systems.
Is it safe to paste my JWT into this tool?
All decoding runs in your browser — no data is sent to any server. However, as a general security practice, avoid pasting production access tokens or long-lived tokens from live systems into any online tool. For debugging, use tokens from test or development environments, or use short-lived tokens that will expire soon.
Can this tool verify the JWT signature?
No — signature verification requires the secret signing key, which should never be exposed to a browser. This tool only decodes (base64-decodes) the header and payload to let you inspect the claims. To verify a signature, use your backend's JWT library with the correct secret or public key.
What are the most important JWT claims to check?
exp (expiry) — Unix timestamp when the token expires. iat (issued at) — when the token was issued. nbf (not before) — the token is invalid before this time. iss (issuer) — who issued the token. sub (subject) — who the token represents, usually a user ID. aud (audience) — intended recipient of the token. These are standardised claims defined in RFC 7519.
What is the difference between an access token and a refresh token?
An access token is short-lived (minutes to hours) and grants access to protected resources. A refresh token is long-lived (days to months) and is used to obtain new access tokens without re-authentication. Access tokens are often JWTs; refresh tokens may or may not be. Never expose a refresh token to a browser or public client — it is equivalent to a long-lived password.