Trusting decoded payloads
Decoded claims are readable but not trusted until the signature, algorithm, issuer, audience, and expiration are verified server-side.
JWT Decoder Online | Decode Claims, Header and Expiration
SecurityRuns in Your Browser (No Uploads)
Decode and inspect JSON Web Tokens (JWT) instantly in your browser. View header, payload, alg, exp, iss, aud, sub, iat, nbf, and readable timestamps. Local decoding only; signatures must still be verified on your server.
Loading…
What to do next
Continue with a related workflow or open the next tool that usually follows this task.
Workflow guide
Base64 decode an API payload
Use this workflow when an API response, webhook, cookie, or configuration value contains Base64 text that needs to be inspected before debugging.
OpenRelated toolBase64 Encoder and Decoder Online | UTF-8 and URL-Safe Text
Encode or decode Base64 text with UTF-8 support and local-only processing.
OpenRelated toolHash Generator Online | MD5, SHA-256 and SHA-512 Checksums
Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
OpenRelated toolJSON Formatter and Validator Online | Format, Minify, Debug
Format, validate, and minify JSON with instant error highlights—fully local.
OpenHow to Use This Tool
- 1
Paste your JWT in the input box (header.payload.signature).
- 2
Header, payload, and signature will be decoded instantly.
- 3
View claims like exp, iat, and nbf with auto-converted timestamps.
- 4
Copy decoded data for debugging or documentation.
- 5
Always verify signatures server-side before trusting token contents.
When to Use This Tool
API Authentication Debugging
Inspect API authentication tokens for subject, role, expiration, issuer, and audience while debugging authorization failures.
OAuth 2.0 and OpenID Connect Development
Decode access tokens and ID tokens to confirm OAuth/OIDC configuration, scopes, audience, issuer, and identity claims.
Frontend and Mobile Token Debugging
Check token lifetime, nbf timing, refresh behavior, and client storage issues in web or mobile apps.
Security Review and Claim Auditing
Review alg values, sensitive claims, issuer/audience mismatches, and payload content before implementing server verification.
Common Mistakes
Putting secrets inside JWT claims
JWT payloads are usually encoded, not encrypted. Never place passwords, API keys, refresh tokens, or private personal data in plain claims.
Checking only the token format
Check exp, nbf, iat, issuer, and audience together. A token that decodes cleanly can still be expired or issued for another app.
Examples
Inspect access token claims
Decode the payload to check subject, role, and expiration while debugging an API authentication issue.
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTc3ODY4NjQwMH0.signatureOutput
{
"sub": "user_123",
"role": "admin",
"exp": 1778686400
}Check the algorithm in the header
Confirm whether a token declares HS256, RS256, none, or another algorithm before reviewing your server-side verification settings.
Input
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.payload.signatureOutput
{
"alg": "RS256",
"typ": "JWT"
}How JWT Works
A JWT is composed of three Base64URL-encoded parts: header, payload, and signature.
The header contains algorithm metadata such as alg and typ. The payload contains claims such as exp, iss, aud, sub, iat, and nbf.
The signature can prove integrity only after server-side verification. Decoding alone never proves a token is authentic.
Frequently Asked Questions
Q.Does this verify JWT signatures?
A. No. This tool only decodes the JWT and does not verify its signature. Always validate the signature on your server using the correct key, algorithm, issuer, audience, and expiration rules.
Q.Are JWTs encrypted? Is decoding safe?
A. Most JWTs are signed, not encrypted. The header and payload are Base64URL-encoded and readable by anyone with the token. Never include passwords, API keys, or sensitive personal data in claims.
Q.What are JWT claims and what do they mean?
A. Claims are pieces of data in the token like exp (expiration), iss (issuer), aud (audience), sub (subject), iat (issued at), and nbf (not before). Defined in RFC 7519.
Q.How can I check if a JWT is expired?
A. Check the exp claim, which is a Unix timestamp. This tool displays it in readable time, but the server must still reject expired tokens during verification.
Q.Why does a JWT use Base64URL instead of normal Base64?
A. JWT uses Base64URL, a URL-safe Base64 variant. It replaces some characters and may omit padding, which is why raw JWT parts can look different from standard Base64 strings.
Related workflow guides
Use these focused guides when you need a practical workflow before opening the tool.
Workflow guide
Base64 decode an API payload
Use this workflow when an API response, webhook, cookie, or configuration value contains Base64 text that needs to be inspected before debugging.
Workflow guideVerify a file checksum with SHA-256
Use this workflow when a vendor, GitHub release, or teammate gives you a checksum and you need to confirm that the file you downloaded has not changed.
Workflow guideDecode a JWT safely before debugging authentication
Use this workflow when a login, API request, or permission check fails and you need to inspect token claims before changing auth code.
Workflow guideInspect HTTP response headers before debugging APIs
Use this workflow when a browser request, API response, redirect, or CDN cache behaves differently than expected and you need a clean header-level view first.
Related Tools
Explore more developer tools
Base64 Encoder and Decoder Online | UTF-8 and URL-Safe Text
Encode or decode Base64 text with UTF-8 support and local-only processing.
Encoding
Hash Generator Online | MD5, SHA-256 and SHA-512 Checksums
Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.
Encoding
JSON Formatter and Validator Online | Format, Minify, Debug
Format, validate, and minify JSON with instant error highlights—fully local.
Formatting
URL Encoder and Decoder Online | Query String Percent Encoding
Encode or decode query strings, redirects, and URL components locally.
Encoding
HTTP Header Parser | Inspect Request & Response Headers
Parse raw HTTP request or response headers into grouped, normalized debugging output.
Encoding