JWT Decoder

Decode JSON Web Tokens to reveal the header, payload, and claims — instantly in your browser.

Backend developers debugging authentication tokens and inspecting JWT claims.

How to use it

  1. Paste your JWT

    Copy the token — the long string that usually starts with "eyJ" — and paste it into the input.

  2. View the decoded parts

    The header, payload, and signature segment are split out and formatted as readable JSON automatically.

  3. Check expiry and claims

    See whether the token is expired and read every claim — roles, subject, issuer, and timestamps — at a glance.

Why use this tool?

A JSON Web Token looks like a meaningless blob of characters, but it is really three Base64URL-encoded parts — a header, a payload, and a signature — separated by dots. Inside the payload sit the things you actually care about when debugging authentication: who the user is, their roles and permissions, when the token was issued, and when it expires. When a login fails, an API returns 401, or a permission check misbehaves, the fastest way to understand why is to read what is actually in the token. This decoder splits a JWT apart and shows the header and payload as clean, readable JSON, flags whether the token has expired, and reveals the signing algorithm. It runs entirely in your browser — nothing is uploaded — which matters because JWTs are live credentials. Paste a token and instantly see its contents instead of writing throwaway code or pasting it into a site that might log it. Note that decoding only reads the token; it does not and cannot verify the signature.

Common use cases

Authentication debugging

Confirm a user’s roles, scopes, and token expiry while tracking down a login or 401 issue.

API integration

Decode tokens from a third-party provider to learn the claim names and structure you need to handle.

Security review

Check what data a token exposes and which algorithm the header declares (watching out for "none" or weak choices).

Support & QA

Quickly verify whether a reported auth bug is caused by an expired or malformed token.

Learning JWTs

See exactly how a real token is structured to understand how stateless authentication works.

Frequently asked questions

Is my JWT sent to a server?

No. Decoding is 100% client-side, so your token never leaves your device.

Does this verify the signature?

No. Verifying the signature requires the secret or public key; this tool only decodes and displays the header and payload.

Is it safe to paste a production token?

Because nothing is uploaded, it is safer than most online decoders — but still treat JWTs as live credentials and avoid sharing your screen with one displayed.

Which algorithms are supported?

Any standard JWT in header.payload.signature format, including HS256, RS256, and ES256 — the algorithm is shown in the decoded header.

Why is the signature shown as unreadable?

The signature is a cryptographic hash, not encoded JSON, so it is not human-readable by design — only the header and payload decode to text.

How do I read the expiry?

The exp claim is a Unix timestamp; the tool converts it and tells you whether the token has already expired.

Can it decode an encrypted (JWE) token?

No. This handles signed JWTs (JWS). Encrypted JWE tokens cannot be read without the decryption key.

Is it free?

Yes — decode as many tokens as you need for free, with no sign-up.

Related tools