JWT Token Decoder

Report an Issue

Help us improve by telling us what went wrong.

Embed this Tool

Customize and copy the embed code for your website.

Decode and Inspect JWT Tokens Effortlessly

JSON Web Tokens are everywhere in modern authentication, but their compact, base64-encoded format makes them impossible to read with the naked eye. The JWT Token Decoder cracks open any JWT and displays its header, payload, and signature in a clean, readable format so you can inspect claims, verify expiration times, and debug authentication issues without writing a single line of code.

What Is a JWT and Why Would You Decode One?

A JSON Web Token is a compact, URL-safe string used to transmit claims between two parties. It consists of three parts separated by dots: a header that identifies the signing algorithm, a payload that contains the claims such as user ID, roles, and expiration time, and a signature that verifies the token has not been tampered with. Developers routinely need to peek inside JWTs during debugging, and the JWT Token Decoder makes that process instant.

How to Decode a JWT Token

Paste the full JWT string into the input field. The tool immediately splits it into its three components and decodes the base64url-encoded header and payload into formatted JSON. Each claim is displayed with its name, value, and a human-readable description. Timestamps like iat (issued at), exp (expiration), and nbf (not before) are automatically converted into readable dates and times, and the tool highlights whether the token is currently valid or expired.

Claims You Can Inspect

The JWT Token Decoder recognises and explains standard registered claims including iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and jti (JWT ID). Custom claims added by your application, such as user roles, permissions, or tenant identifiers, are also displayed. This comprehensive view lets you verify that your token contains exactly the data you expect and nothing more.

Debugging Authentication Flows

When a user reports they cannot access a resource, the problem often lies in the JWT. Maybe the token has expired. Maybe the audience claim does not match the API it is being sent to. Maybe a role claim is missing. The JWT Token Decoder lets you diagnose these issues in seconds. Copy the token from the browser developer tools, an HTTP request log, or your application logs, paste it in, and the answer is right there in front of you.

Algorithm and Header Analysis

The header section reveals which algorithm was used to sign the token. Common algorithms include HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with P-256). The tool flags tokens signed with the none algorithm, which is a well-known security vulnerability that allows attackers to forge tokens. Spotting this in production is critical, and the JWT Token Decoder makes it immediately obvious.

Security Best Practices

It is important to understand that decoding a JWT is not the same as verifying it. Decoding simply reads the base64 content, which anyone can do. Verification requires checking the signature against a secret or public key, which should always happen on your server. The JWT Token Decoder is a diagnostic and learning tool. Never use decoded claims from an unverified token to make authorisation decisions in production.

Private by Design

JWTs often contain personally identifiable information, session data, and security-sensitive claims. The JWT Token Decoder runs entirely in your browser. The token you paste is never sent to a server, never logged, and never stored. This makes it safe to decode production tokens during incident response without introducing additional data exposure risks.