Loading JWT Decoder...

JWT Decoder

Paste a JWT to instantly see its decoded header, payload, and expiration status.

Encoded Token

Header

Payload

Decode a JWT and Inspect Its Claims

This free online tool decodes a JSON Web Token (JWT) and shows its header, payload, and expiration status in plain, readable JSON — no library, backend, or account required. Paste a token from an Authorization: Bearer header, a session cookie, or an API response, and see exactly what claims it carries.

How It Works

Decode Only — No Signature Verification

This tool decodes the header and payload segments only; it does not verify the signature. A JWT's signature can only be verified with the issuer's secret or public key, and doing that safely requires knowing exactly which service issued the token — this tool is for quickly inspecting claims during development and debugging, not for authenticating a token in production.

Privacy

Decoding happens entirely in your browser using JavaScript. Your token is never uploaded to a server — which matters, since a JWT's payload is only base64-encoded, not encrypted, and often contains user identifiers or other data you don't want to send to a third party.

JWT Decoder — How It Works

A JWT is three base64url-encoded segments separated by dots: a header, a payload, and a signature. Here's what this tool does with each part.

Header Decoding

The first segment is base64url-decoded and parsed as JSON, revealing the signing algorithm (alg) and token type (typ), shown as badges above the output panels.

Payload Decoding

The second segment holds the token's claims — the actual data, such as a user ID, roles, or an expiration time. It's decoded and pretty-printed just like the header.

Expiration Detection

If the payload includes an exp claim (a Unix timestamp), this tool compares it against the current time and flags the token as expired or still valid.

UTF-8 Safe Decoding

Base64url segments are decoded byte-by-byte and converted with a proper UTF-8 decoder, so claims containing non-ASCII characters (names, addresses, emoji) render correctly instead of as garbled text.

Who Uses This Tool?

Backend Developers

Quickly inspect the claims inside an access or ID token returned by an auth service (Auth0, Firebase, Cognito, custom OAuth servers) while debugging an integration.

Frontend Developers

Check what's actually inside a token stored in localStorage or a cookie — confirm the expected claims and expiration are present before wiring up API calls.

QA & Security Testing

Verify that a token issued during a test run contains the expected roles, audience, and expiration — without writing a throwaway decoding script.

Students & Learners

See exactly how a JWT is structured while learning about token-based authentication, alongside the JWT explainer article.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties — commonly used for authentication and authorization. It consists of a header, payload, and signature, each base64url-encoded and joined with dots.

Does this tool verify the signature?

No. This tool only decodes the header and payload so you can read the claims. Verifying a signature requires the issuer's secret (HS256) or public key (RS256/ES256), which this tool intentionally does not ask for.

Is a JWT encrypted?

No — a standard JWT's header and payload are only base64url-encoded, not encrypted. Anyone who has the token can decode and read its contents, which is exactly what this tool demonstrates. Never put secrets in a JWT payload.

Why does it say my token is expired?

The tool compares the payload's exp claim (a Unix timestamp in seconds) against the current time. If exp is in the past, the token is flagged as expired — this is a client-side check only and doesn't affect the real token.

Is my token uploaded anywhere?

No. All decoding happens locally in your browser with JavaScript. Nothing is sent to a server, which matters since JWT payloads often contain user identifiers or other data you don't want to expose to a third party.

What does "Not 3 dot-separated parts" mean?

A valid JWT always has exactly three segments — header, payload, and signature — separated by two dots. If your input has a different number of parts, it isn't a complete JWT (it may be truncated, or it might not be a JWT at all).

Built by Deepak Kumar — a developer who wanted a JSON tool that respects your privacy. All processing happens in your browser. Your data never leaves your device.