JWT Decoder

About This Tool

JWT Decoder decodes JSON Web Tokens instantly, revealing the header algorithm, all payload claims (sub, iat, exp, aud, iss, and custom claims), expiry status, and security warnings — all without verifying the signature. Developers use this tool to debug authentication flows, inspect OAuth2 access tokens, diagnose expired session tokens, and verify that identity providers are returning the correct claims in their JWTs. Your token is never uploaded — decoding runs entirely in your browser.

How to Use

Paste the full JWT token (all three dot-separated segments) into the input field.
Click Run Tool.
View the decoded header (algorithm, type), payload claims, expiry status, and any security warnings.
Note: This tool decodes only. It does NOT verify the signature.

How It Works

A JWT consists of three Base64URL-encoded segments separated by dots: header.payload.signature. Decoding the header and payload requires only Base64URL decoding — no secret key is needed. The signature, however, can only be VERIFIED using the original signing key. This tool decodes and displays the payload without performing signature verification.

FAQ

Does this tool verify the JWT signature?

No. Decoding and verification are different operations. This tool decodes the token to show its contents. Signature verification requires the secret key or public key and should be done server-side.

Is it safe to paste my JWT token here?

Yes. The tool runs entirely in your browser. Your token is never sent to any server. However, avoid sharing JWT tokens in screenshots or public pages, as they grant access until expiry.

What claims should a JWT payload contain?

Standard claims include: sub (subject), iat (issued at), exp (expiry), iss (issuer), aud (audience), and jti (JWT ID). Custom claims add application-specific data like user roles, emails, and permissions.

How do I check if a JWT is expired?

The decoder shows the exp claim as a human-readable date and tells you if the token is expired, active, or has no expiry set.

Can I decode a JWT without the secret key?

Yes. The payload and header are only Base64URL-encoded (not encrypted). Anyone can decode them without knowing the signing secret. This is by design in the JWT specification.

Is this free?

Yes, completely free. No account or sign-up required.

About This Tool

How It Works

FAQ

Does this tool verify the JWT signature?

No. Decoding and verification are different operations. This tool decodes the token to show its contents. Signature verification requires the secret key or public key and should be done server-side.

Is it safe to paste my JWT token here?

Yes. The tool runs entirely in your browser. Your token is never sent to any server. However, avoid sharing JWT tokens in screenshots or public pages, as they grant access until expiry.

What claims should a JWT payload contain?

How do I check if a JWT is expired?

The decoder shows the exp claim as a human-readable date and tells you if the token is expired, active, or has no expiry set.

Can I decode a JWT without the secret key?

Yes. The payload and header are only Base64URL-encoded (not encrypted). Anyone can decode them without knowing the signing secret. This is by design in the JWT specification.

Is this free?

Yes, completely free. No account or sign-up required.

About This Tool

How to Use

How It Works

FAQ

Does this tool verify the JWT signature?

Is it safe to paste my JWT token here?

What claims should a JWT payload contain?

How do I check if a JWT is expired?

Can I decode a JWT without the secret key?

Is this free?

Related Tools

Example

About This Tool

How to Use

How It Works

FAQ

Does this tool verify the JWT signature?

Is it safe to paste my JWT token here?

What claims should a JWT payload contain?

How do I check if a JWT is expired?

Can I decode a JWT without the secret key?

Is this free?

Related Tools

JWT Decoder

Example