Decode JWT Token Online — Free JWT Inspector

Paste any JSON Web Token (JWT) to instantly decode its header, payload, and signature. Inspect all claims including sub, iat, exp, roles, and custom fields — useful for debugging authentication issues in development and testing.

Tips

JWT structure: three parts
A JWT consists of three Base64URL-encoded parts separated by dots: Header (algorithm & type), Payload (claims), and Signature (verification).
Check the exp claim for expiry
The exp claim is a Unix timestamp (seconds since Jan 1 1970). If exp is in the past, the token is expired. Convert it to a readable date using a timestamp converter.
The signature cannot be verified without the secret
This tool decodes the header and payload, but cannot verify the signature without the private key or secret. For signature verification, use your application's auth library.
Don't decode production tokens in online tools
For sensitive production JWTs, decode them locally using jwt.io or a library. Only use online tools for development and test tokens that contain no sensitive user data.

JWT Decoder

Security

Decode and inspect JSON Web Tokens — view header, payload, and claims instantly.

About this tool

What is the JWT Decoder?

A JSON Web Token (JWT) is a compact, self-contained token used to transmit information between parties — most commonly to authenticate users and authorize API requests. JWTs are Base64URL-encoded and consist of three dot-separated sections: a header, a payload, and a signature.

The JWT Decoder decodes any JWT token and presents its contents in a readable format, so you can inspect the header algorithm, read all payload claims, check expiry timestamps, and understand exactly what the token contains — without needing to write any code.

How to Use the JWT Decoder

Paste your JWT into the input field. A valid JWT looks like three Base64URL strings separated by dots: xxxxx.yyyyy.zzzzz
View the decoded output. The tool immediately decodes and displays:
- Header — the algorithm used to sign the token and the token type
- Payload — all claims contained in the token, shown as formatted JSON
- Signature — the raw signature string used to verify the token's integrity
Check timestamps. Unix timestamps in the payload (iat, exp, nbf) are converted to human-readable dates so you can see exactly when the token was issued and when it expires.

JWT Structure Explained

Header — a JSON object identifying the signing algorithm and token type:

{ "alg": "HS256", "typ": "JWT" }

Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA).

Payload — a JSON object containing claims. Standard claims include:

| Claim | Name | Description |
|-------|---------------------------------------------------------------|
| sub | Subject | The user or entity the token represents |
| iss | Issuer | Who created and signed the token |
| aud | Audience | Who the token is intended for |
| iat | Issued At | Unix timestamp of when the token was created |
| exp | Expiry | Unix timestamp after which the token is invalid |
| nbf | Not Before | Unix timestamp before which the token is invalid |

Applications can add any additional custom claims alongside these standard ones.

Signature — a cryptographic signature computed from the encoded header and payload using the algorithm and secret key specified in the header. It cannot be forged without the secret key, and any tampering with the header or payload invalidates it.

What This Tool Does and Doesn't Do

The decoder reads the header and payload — this requires no secret key, because the content is Base64URL-encoded, not encrypted. Any JWT can be decoded by anyone who has it.

The decoder does not verify the signature without the secret or public key. Signature verification confirms the token was issued by a trusted source and hasn't been tampered with — that requires the key used to sign it.

For debugging purposes (checking claims, timestamps, algorithm), decoding is sufficient. For security validation in production, always verify the signature server-side using a JWT library.

Common Uses

Debugging authentication flows — decode a token your app received to confirm it contains the expected claims, user ID, roles, and expiry before your auth logic processes it.

Checking token expiry — paste a token to instantly see its exp timestamp in readable form rather than converting a Unix timestamp manually.

Learning JWT structure — understand how JWTs encode data and how different auth providers (Auth0, Firebase, Supabase, Clerk) structure their tokens.

API integration testing — inspect tokens issued during an OAuth flow or login request to verify the claims your API should receive.

Privacy

All decoding happens in your browser. Never paste production tokens containing sensitive user data into any online tool — decode only development and test tokens here.