TheComputech
HomeToolsDeveloper Tools

JWT Decoder

Free JWT decoder. Paste a JSON Web Token to decode and inspect its header and payload, view standard claims and check expiry — all in your browser, nothing uploaded.

✓ Free ⚡ Instant 🔒 100% private
Paste your JWT
Header 
Decoded header JSON appears here.
Payload 
Decoded payload JSON appears here.
Standard claims
Signature (raw, not verified) 
The raw signature segment appears here.

🔒 Decoding happens entirely in your browser — your token is never uploaded, logged or sent anywhere. This tool only decodes a JWT so you can read it; it does not verify the signature, and it never asks for your secret or key.

Advertisement

Free JWT Decoder

This free online JWT decoder lets you paste a JSON Web Token and instantly read what is inside it. It pretty-prints the header and payload in separate panels, shows the raw signature, and translates the standard time claims (exp, iat, nbf) into readable dates so you can see at a glance whether a token has expired. Everything is decoded right here in your browser — your token is never uploaded, and the tool never asks for your secret key.

How to use the JWT decoder

  1. Copy your token from your app, API response, browser storage or an Authorization: Bearer header.
  2. Paste it into the box above (or click Load sample to try one).
  3. Click Decode token. The header and payload appear as formatted JSON in their own panels.
  4. Check the standard claims table for human-readable issued, not-before and expiry dates.
  5. Use the Copy button on any panel to grab the decoded JSON.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to carry claims between two parties — most commonly used for login sessions and API authentication. A JWT is a single string made of three parts separated by dots: header.payload.signature. The header describes the token type and the signing algorithm (for example {"alg":"HS256","typ":"JWT"}). The payload holds the claims — the actual data — and the signature is a cryptographic stamp that proves the token has not been tampered with.

The header and payload are JSON objects that are Base64URL-encoded (a URL-safe variant of Base64 that uses - and _ and often drops padding). That encoding is not encryption, so anyone can decode and read a JWT — which is exactly what this tool does. Common registered claims include iss (issuer), sub (subject, often the user ID), aud (audience), exp (expiry time), iat (issued-at time) and nbf (not-before time). Time claims are stored as Unix timestamps, which this decoder converts to readable dates.

Importantly, decoding is not the same as verifying. Verifying a token means checking its signature against the secret or public key to confirm it is authentic and untampered. This tool deliberately stays on the safe side: it only decodes and inspects what is in the token, so you never have to paste a secret into a web page.

Frequently asked questions

Is it safe to paste my token here?
Yes. The decoding runs entirely in your browser with JavaScript — your token is never uploaded, stored or sent to any server. That said, a JWT can contain personal or session data, so treat any live production token with care and avoid sharing your screen while it is on the page.
Does this tool verify the JWT signature?
No. This is a decoder and inspector only. It shows the raw signature segment but does not check it, so it never asks for your secret or key. Signature verification must be done on your server or with the proper library that has access to the signing key.
How do I know if a JWT is expired?
After decoding, the tool reads the exp claim, converts it to a readable date, and compares it to the current time. It then shows a clear banner telling you whether the token is still valid or has already expired. A decoded expiry only reflects the time claim, not whether the signature is valid.
What do iss, sub, iat, exp and nbf mean?
These are standard registered claims. iss is the issuer that created the token, sub is the subject such as a user ID, aud is the intended audience, iat is when the token was issued, exp is when it expires and nbf is the time before which the token should not be accepted. The decoder shows the time claims as readable dates.
Why does my token fail to decode?
A valid JWT has exactly three parts separated by dots. If you paste something with the wrong number of parts you will see a message saying it does not look like a JWT. If a part is not valid Base64URL or does not contain valid JSON, the affected panel explains that so you can spot a copy-paste error such as a missing character.
Advertisement

Related tools

All tools →
🔧

URL Encode / Decode

Free online URL encoder and decoder. Percent-encode text for safe use in URLs and decode %-encoded strings back to readable text — instantly and privately in your browser.

🔧

HTML Entity Encode / Decode

Free HTML entity encoder and decoder. Escape special characters and non-ASCII text to HTML entities and decode them back — instantly and privately in your browser.

🔧

Hash Generator

Free hash generator. Create MD5, SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text instantly in your browser, with one-click copy. Nothing is uploaded.

🔧

UUID Generator

Free UUID generator. Create cryptographically-random version 4 UUIDs in bulk with options for uppercase, no hyphens and braces — copy or download. Generated in your browser.