JWT Decoder Online — Decode & Inspect JSON Web Tokens
A free JWT decoder that splits any JSON Web Token into its header, payload, and signature, then pretty-prints the claims so you can debug authentication flows quickly. The tool runs entirely in your browser, so your tokens are never sent to a server — safe for production access tokens, ID tokens, and refresh tokens during incident response.
Features
Header & payload view
See the algorithm, key ID, expiry, and every claim in a readable JSON layout.
Expiry detection
Automatically highlights `exp`, `nbf`, and `iat` claims as human-readable dates and warns on expired tokens.
Zero network calls
Decoding happens in your browser. Tokens are never logged, uploaded, or cached on a server.
Copy-friendly output
Copy the decoded header or payload as JSON with one click for use in tickets or postmortems.
How to decode a JWT token online
Inspect any JSON Web Token in three steps — no install or sign-up required.
- Paste the JWTDrop the full token (three Base64URL-encoded segments separated by dots) into the input box.
- Inspect the headerThe header reveals the signing algorithm (e.g. HS256, RS256) and the key ID (`kid`).
- Read the payloadThe payload shows standard claims (`sub`, `iss`, `aud`, `exp`) plus any custom claims your issuer added.
- Verify expiryCheck the `exp` and `iat` timestamps against the current time to confirm the token is still valid.
Examples
Decode a typical JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzE2MDAwMDAwfQ.signature
Header
{
"alg": "HS256",
"typ": "JWT"
}
Payload
{
"sub": "1234567890",
"name": "Jane Doe",
"iat": 1716000000
}The signature segment is shown as-is — verifying it requires the issuer's secret or public key.
Frequently Asked Questions
- Is this JWT decoder safe to use with production tokens?
- Yes. Decoding happens entirely in your browser — the token never leaves your device, is never logged, and is never sent to any server. That said, treat any token you paste as compromised and rotate it if it was a long-lived credential.
- Can it verify the JWT signature?
- The decoder shows you the algorithm and the signature segment but does not verify the signature, because that requires the issuer's secret (HS256) or public key (RS256/ES256). Use your auth provider's SDK or a JWKS endpoint to verify signatures.
- What is the difference between a JWT header and payload?
- The header describes how the token is signed (algorithm, key ID, type). The payload contains the claims — who the token is for, when it expires, and any custom data your application added.
- My JWT shows as expired but my app still accepts it. Why?
- Either the clocks on your machine and the auth server are out of sync, or the application is not enforcing the `exp` claim. Compare the `exp` timestamp with the current server time.
- Does the tool support all JWT algorithms?
- Decoding the header and payload works for every algorithm because both segments are just Base64URL-encoded JSON. Algorithm-specific work (signing, verifying) requires the corresponding key material.
- Can I decode an ID token from Google, Auth0, or Cognito?
- Yes. ID tokens are standard JWTs. The tool shows the OpenID Connect claims (`sub`, `email`, `aud`, `iss`, and provider-specific extras).