Skip to content
DevUtil

JWT Decoder - Decode JSON Web Tokens Online

About the JWT Decoder

JSON Web Tokens are used widely for authentication and authorisation. OAuth 2.0 access tokens, OpenID Connect ID tokens, and many API authentication schemes use JWTs to carry identity claims between services. When debugging authentication flows, you need to see what is inside a token: who issued it, who it is for, when it expires, and what permissions it grants.

This decoder splits the token into its three parts, Base64URL-decodes the header and payload, and presents the JSON in a formatted, readable layout. Timestamp claims like exp, iat, and nbf are automatically converted to human-readable dates, and the tool flags whether the token is currently expired.

How to Use the JWT Decoder

Paste a JWT string into the input field. The decoder immediately separates the header, payload, and signature. The header shows the signing algorithm (e.g., HS256, RS256). The payload displays all claims in formatted JSON with timestamps converted to dates. The signature section shows the raw encoded signature for reference. If the token format is invalid, a clear error message explains what went wrong.

Features

  • Header and payload inspection. See the algorithm, token type, and every claim in formatted JSON.
  • Timestamp conversion. Unix timestamps in claims like exp, iat, and nbf are shown as readable dates.
  • Expiration status. The decoder checks whether the token is expired and highlights the result.
  • Format validation. Invalid tokens are rejected with a helpful error explaining the structural issue.
  • Complete privacy. The token never leaves your browser, protecting sensitive claims and user data.

When to Decode JWTs

Decoding JWTs is essential when debugging OAuth login flows, investigating why an API returns 401 or 403 errors, verifying that a token contains the expected scopes or roles, and checking whether a refresh token has expired. Security engineers also decode tokens during penetration testing to inspect claim structures. A bookmarked JWT decoder is a quick win for anyone building or maintaining authenticated applications.

Related Tools

Base64 Encode / Decode

Encode text to Base64 or decode Base64 strings back to plain text.

URL Encode / Decode

Percent-encode or decode URLs and query-string parameters safely.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text.

MD5 Hash Generator

Generate MD5 hashes from text for checksums and legacy systems.

Frequently Asked Questions

What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header (specifying the algorithm), a payload (containing claims like user ID, roles, and expiration), and a signature that verifies the token has not been tampered with.
Does this tool verify the JWT signature?
This tool decodes and displays the JWT contents but does not verify the cryptographic signature. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which should be done server-side in your application.
Is it safe to paste my JWT here?
Yes. The decoder runs entirely in your browser. The token is never sent to any server. However, remember that JWTs often contain sensitive claims, so avoid sharing them in public channels regardless of the tool you use.
What claims can I see in the decoded payload?
You will see all claims embedded in the token, including standard claims like 'iss' (issuer), 'sub' (subject), 'exp' (expiration), 'iat' (issued at), and 'aud' (audience), as well as any custom claims added by the token issuer.
How do I check if a JWT has expired?
The decoder reads the 'exp' claim and converts the Unix timestamp to a human-readable date. It then compares the expiration time against the current time and clearly indicates whether the token is still valid or has expired.