JWT Decoder
Decode and inspect JSON Web Tokens online. View header, payload, claims, and expiration instantly.
Our free online JWT Decoder lets you paste any JSON Web Token and instantly see its decoded header and payload in readable, pretty-printed JSON. JWTs are the industry-standard way to pass authentication and authorization data… Paste or type your input above; results update immediately. The tool runs in your browser and we don't store your data.
About This Calculator
Our free online JWT Decoder lets you paste any JSON Web Token and instantly see its decoded header and payload in readable, pretty-printed JSON. JWTs are the industry-standard way to pass authentication and authorization data between services, and inspecting them is a daily task for API and back-end developers. This tool decodes the token in real time as you type, separates the header (algorithm and token type) from the payload (claims such as user ID, roles, issuer, and expiration), and formats both sections for easy reading. Use it to debug login flows, verify token claims before they reach production, or understand how a third-party API structures its tokens.
How It Works
A JWT is made of three Base64URL-encoded parts separated by dots: header.payload.signature. Paste a token into the input panel and the decoder splits it at the dots, decodes the first two parts from Base64URL to JSON, and displays them in the output panel under separate Header and Payload sections. The header typically contains the signing algorithm (e.g., HS256, RS256) and token type. The payload contains the claims — registered claims like iss (issuer), exp (expiration), sub (subject), and iat (issued at), plus any custom claims your application adds. The signature part is not decoded because verifying it requires the server-side secret or public key. All decoding happens in your browser — the token is never sent to any server.
How to Use
- Enter your values in the calculator fields above
- Click the calculate button or let the calculator auto-update
- Review your results instantly
- Adjust values as needed to see different scenarios
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit information between two parties. It is commonly used for authentication: after a user logs in, the server issues a JWT that the client sends with every subsequent request to prove identity. The token is self-contained — the server can verify it without querying a database.
Is it safe to paste my JWT here?
Yes. This decoder runs entirely in your browser — the token never leaves your device. That said, JWTs themselves are not encrypted by default (only signed), so anyone who has the token string can decode the header and payload. Avoid sharing tokens in public channels regardless of the tool you use.
What claims will I see in the payload?
Common registered claims include sub (subject / user ID), iss (issuer), aud (audience), exp (expiration timestamp), nbf (not before), and iat (issued at). Many tokens also carry custom claims like email, role, permissions, or tenant ID, depending on how the issuing server is configured.
Can this tool verify the JWT signature?
No. Verifying a signature requires the server-side secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). This tool only decodes the header and payload. To verify signatures, use a server-side library such as jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).
How do I check if a JWT has expired?
Look for the exp claim in the decoded payload. It is a Unix timestamp (seconds since January 1, 1970). Convert it to a human-readable date to see when the token expires. If the current time is past that value, the token has expired and the server should reject it.
What is the difference between the header and the payload?
The header describes how the token is signed — it contains the algorithm (e.g., HS256, RS256) and the token type (typically "JWT"). The payload carries the actual data: who the user is, what they are allowed to do, and when the token expires. Both are Base64URL-encoded but not encrypted, which is why you can decode them with this tool.
Why Use Our Free JWT Decoder Online?
Our JWT Decoder runs in the browser so you can format, convert, or generate without sending data to our servers. No account needed—paste or type, get your result. We offer more dev tools (JSON, Base64, JWT, UUID, timestamps, and more) in the list below.