JWT Decoder

Report an Issue

Help us improve by telling us what went wrong.

Embed this Tool

Customize and copy the embed code for your website.

Crack Open Any JWT Without Writing Code

JSON Web Tokens are the backbone of modern authentication. They're in your Authorization headers, your OAuth flows, your SSO systems, and about a dozen cookies in your browser right now. But JWTs are base64-encoded, which means they look like gibberish unless you decode them. The JWT Decoder takes that gibberish and shows you exactly what's inside - the header, the payload, the signature - in clean, readable JSON.

What You'll See When You Decode a JWT

Every JWT has three parts separated by dots. The header tells you the algorithm used to sign the token (RS256, HS256, ES256, etc.) and the token type. The payload contains the claims - user ID, email, roles, permissions, issued-at timestamp, expiration time, and whatever else the issuer decided to include. The signature is the cryptographic proof that the token hasn't been tampered with.

This JWT decoder breaks all three apart and presents them as formatted JSON with syntax highlighting. You can immediately see who the token was issued to, when it expires, what scopes or permissions it grants, and which signing algorithm was used. No more squinting at base64 strings or writing throwaway decode scripts.

Expiry Verification - The Feature You'll Use Most

"Why is my API returning 401?" Nine times out of ten, the answer is an expired token. The JWT decoder reads the exp claim and tells you in plain language whether the token is still valid or has expired, and exactly when it expired (or will expire). It converts the Unix timestamp to a human-readable date and time, and shows you how long ago it expired or how much time remains. This single feature saves developers hours of debugging per month.

It also checks the iat (issued at) and nbf (not before) claims, so you can verify the full validity window of the token. If someone's reporting intermittent auth failures, checking these timestamps often reveals clock skew issues between servers - a classic JWT gotcha that's surprisingly common.

Security Debugging

When you're auditing an authentication system, being able to inspect JWTs is essential. What claims is the identity provider including? Are there sensitive fields that shouldn't be in the payload (remember, JWTs are encoded, not encrypted - anyone can decode them)? Is the algorithm what you expect, or has it been downgraded to none (a well-known JWT vulnerability)?

The JWT decoder makes these checks trivial. Paste the token, read the decoded output, and you've got answers in seconds. Security researchers, penetration testers, and backend developers doing auth work all reach for a JWT decoder regularly.

Common Use Cases

Frontend devs debugging why a protected route isn't accessible. Backend devs verifying that token generation includes the right claims. DevOps engineers troubleshooting SSO integrations between services. QA testers checking that tokens issued during test flows contain expected data. Students learning about web authentication and wanting to see what JWTs actually look like inside.

If you work with APIs, you work with JWTs. And if you work with JWTs, you need a decoder you can trust. This one runs entirely in your browser - your tokens never touch a server - so you can safely decode production tokens without worrying about them being logged or intercepted. Paste, decode, understand, move on.