JWT Decoder
Decode and inspect JWT tokens
How to Use JWT Decoder
- 1
Paste your JWT token into the input field.
- 2
The tool splits the token into its three parts: header, payload, and signature.
- 3
Review the decoded header and payload to inspect the claims and expiry.
- 4
Note: the tool decodes only. It does not verify the signature.
About JWT Decoder
Decode and inspect JWT tokens online. View header, payload and verify signature. 100% client-side, secure.
Best Use Cases
- •Inspecting JWT tokens from API responses to debug authentication issues
- •Checking token expiration time without writing code to decode it
- •Verifying that a JWT contains the expected claims and payload
- •Examining the algorithm used in a JWT's header for security review
- •Debugging OAuth flows by inspecting access and refresh token contents
Examples
Token debug
Paste a JWT from your browser's dev tools. See the decoded header, payload, claims, and expiration time instantly.
Auth check
Decode an access token to verify it contains the correct user ID, roles, and scope claims.
Expiry check
Paste a JWT and look at the exp claim to see exactly when the token expires in readable format.
Common Mistakes to Avoid
- !Assuming a decoded JWT means it has been verified, which requires signature validation
- !Pasting tokens with extra whitespace or line breaks that break parsing
- !Sharing JWTs publicly without realizing the payload is only encoded, not encrypted
Limitations
- –Cannot verify JWT signatures without the secret key or public key
- –Only decodes the token structure; does not validate claims against a server
- –Encrypted JWTs (JWE) cannot be decoded without the decryption key
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. The decoder runs entirely in your browser. Your token is never sent to any server.
What does a JWT contain?
A JWT has three parts: header (algorithm), payload (claims/data), and signature. The payload is just Base64-encoded - not encrypted.