JWT Decoder

Decode JWT headers and payloads without sending data anywhere.

Decode and inspect JSON Web Tokens (JWT) instantly with this secure browser-based JWT decoder. View the token header and payload to verify claims, expiration (exp), issuer (iss), and audience (aud). All decoding happens locally in your browser, so your tokens are never transmitted or stored.

Ad slot tool-jwt-decoder-bottom

About this tool

Decode JWTs Safely

Decode JWT tokens and inspect their headers and payload claims without exposing sensitive data to external services.

  • Decode header (alg, typ)
  • Decode payload (claims like iat, exp, iss, aud)
  • Human-readable date formatting
  • 100% Client-side processing

When to Use a JWT Decoder

JWTs are the standard for modern authentication. Use this tool to debug login issues or verify token contents.

  • Check if a token is expired
  • Verify user roles and permissions
  • Confirm issuer (iss) and audience (aud)

How to Use JWT Decoder

1

Paste Token

Paste your encoded JWT token (often starting with `eyJ...`) into the input field.

2

Review Claims

The tool automatically splits the token into Header and Payload. Read the decoded JSON to verify the user ID, expiration time, and scopes.

3

Check Expiry

Hover or look at the 'exp' (expiration) field to see exactly when the token becomes invalid in human-readable time.

Ad slot tool-jwt-decoder-inline

Common questions

Is it safe to paste production tokens here?

This JWT decoder runs entirely in your browser using client-side JavaScript. Your token is not transmitted, logged, or stored on any server.

Can I verify the signature?

No. Signature verification requires your private secret key or public certificate. To keep your secrets safe, we do not ask for them and therefore cannot verify the signature.

What happens if the token is expired?

The tool will still decode it so you can see why it expired (by checking the 'exp' claim), but the token itself would be rejected by your API.

What is the difference between decoding and verifying a JWT?

Decoding a JWT simply converts the Base64-encoded header and payload into readable JSON. Verifying a JWT checks the signature using a secret key or public key to ensure the token has not been tampered with. This tool only decodes tokens and does not perform signature verification.

Does this handle encrypted JWTs (JWE)?

No, this tool only supports standard signed JWTs (JWS). Encrypted tokens require a decryption key, which is not supported in this public tool.

Can I decode a JWT without the secret key?

Yes. Decoding does not require a secret key because it only reads the Base64-encoded header and payload. However, verifying the token’s authenticity requires the appropriate signing key.

Why is the output just random characters?

Ensure you pasted the full token including the dots (.). If the token uses a non-standard encoding, it might not decode correctly.

Related tools

JSON Formatter

Validate, format, and minify JSON with instant feedback.

Open tool

Base64 Encoder / Decoder

Encode or decode Base64 safely in the browser.

Open tool

URL Encoder / Decoder

Encode and decode URLs or query parameters.

Open tool