JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, and check expiration — all client-side.

Paste your JWT:

Header:

Payload:

Expiry Info:

What is a JWT Decoder?

A JWT (JSON Web Token) decoder splits a JWT into its three components — header, payload, and signature — and decodes the Base64URL-encoded header and payload into readable JSON. JWTs are the standard for authentication and authorization in modern web applications, used by OAuth 2.0, OpenID Connect, and countless APIs.

Our decoder also checks the exp (expiration) claim and tells you whether the token is still valid or has expired. This is invaluable for debugging authentication flows, understanding token claims, and verifying that tokens contain the expected data.

Note: This tool decodes tokens for inspection — it does not verify the cryptographic signature. Signature verification requires the secret key or public key, which should never be shared in a browser tool.

How to Use This JWT Decoder

Paste your JWT into the input field (the long string with two dots separating three parts)
Click “Decode” to parse the token
Review the header — shows the algorithm (HS256, RS256, etc.) and token type
Review the payload — shows claims like sub, exp, iat, and any custom data
Check the expiration status — the tool indicates if the token is expired

Common Use Cases

Debugging authentication — Inspect tokens to understand why login or API calls fail
Verifying token claims — Check that roles, permissions, and user data are correct in the payload
Checking expiration — Determine if a token has expired or when it will expire
API development — Verify that your backend issues tokens with the correct claims
Security auditing — Review what information is stored in tokens (remember, payloads are only encoded, not encrypted)

Frequently Asked Questions

Are JWTs secure? Can someone read my token?

JWT payloads are Base64URL-encoded, not encrypted — anyone with the token can read the payload. Never store sensitive data (passwords, credit cards) in JWT claims. The signature prevents tampering but not reading.

What’s the difference between HS256 and RS256?

HS256 uses a shared secret key for both signing and verification — simpler but requires sharing the secret. RS256 uses a private/public key pair — the server signs with the private key and anyone can verify with the public key. RS256 is preferred for distributed systems.

Base64 Encoder/Decoder — Manually decode Base64 strings from tokens
JSON Formatter — Format the decoded JWT payload for readability
Timestamp Converter — Convert the exp and iat Unix timestamps to readable dates