JWT Decoder Online
Decode & inspect JSON Web Tokens
Security Note
JWTs are encoded, not encrypted. Anyone who has the token can see the payload. Never store sensitive secrets like user passwords in a JWT.
How to Use JWT Decoder
- 1
Paste your JWT
Enter the full JWT string (header.payload.signature) in the input field.
- 2
Inspect claims
The decoded header and payload are displayed with formatted JSON and human-readable timestamps.
- 3
Check expiration
Expiration and issued-at timestamps are converted to readable local dates automatically.
What Is JWT Decoder
Decode and inspect JSON Web Tokens (JWTs) instantly without sending them to a server. View the decoded header, payload claims, and raw signature in a readable, formatted layout. Expiration (exp), issued-at (iat), and not-before (nbf) timestamps are automatically converted to human-readable dates so you can instantly check whether a token is expired or not yet valid. Paste any JWT — all decoding happens locally in your browser. Safe for inspecting access tokens, refresh tokens, and identity tokens in development.
Why Use JWT Decoder
- Instantly decode any JWT to inspect claims without writing code or using curl commands.
- Timestamps are converted to readable dates — immediately see if a token is expired or when it was issued.
- Completely private — the token never leaves your browser. Safe to use with real tokens during development and debugging.
- Displays all three JWT sections — header (algorithm and type), payload (claims), and raw signature.
- No account needed — paste your JWT and see the contents in one second.
Frequently Asked Questions
Is my data safe?
Does this tool verify JWT signatures?
Is it safe to paste my JWT here?
What does 'alg: none' in the header mean?
Why does the expiration time look wrong?
Learn more
JWT Decoder Use Cases
Debugging authentication issues
When a user reports an authentication error, decode their JWT to check whether the token is expired, issued for the right audience, or missing required claims.
API development
Verify that your auth server is issuing JWTs with the correct claims, roles, and expiration times during development and testing.
Security review
Inspect JWTs used in a system to verify the signing algorithm (alg) is not 'none' and that claims like iss and aud are properly set.
Third-party service integration
Decode JWTs from OAuth providers (Google, GitHub, Auth0) to see what user information is included and which claims are available to your application.
Tips & Best Practices
- 💡A JWT has three parts separated by dots: header.payload.signature. If you only have two parts, it is likely a Base64-encoded token rather than a JWT.
- 💡The 'exp' claim is a Unix timestamp in seconds (not milliseconds). The decoded date shown is in UTC — account for timezone when checking expiration.
- 💡The 'alg' field in the header tells you the signing algorithm. Always verify it is not 'none' in production — 'none' means no signature verification.
- 💡JWTs are not encrypted by default — anyone with the token can decode and read the payload. Never store sensitive data like passwords or SSNs in JWT claims.
How It Works
JWT decoding splits the token on '.' delimiters and Base64url-decodes each segment using atob() with character substitution for '+'/'-' and '/'/'-' differences. The header and payload JSON is then parsed and pretty-printed. No cryptographic verification is performed — signature validation requires the secret or public key, which the tool deliberately does not accept to avoid handling sensitive credentials. Expiration and timestamp fields are converted using new Date(value * 1000) since JWT timestamps are in seconds, not milliseconds.