Free Online JWT Decoder
Decode and inspect JWT tokens online. View header, payload claims, and expiry status instantly. 100% client-side β your token never leaves your browser.
100% Client-Side Β· Your data never leaves your browserHow to Use JWT Decoder
Paste your JWT into the input field. JWTs look like three Base64url strings separated by dots: header.payload.signature.
- Click Decode or press Ctrl/Cmd+Enter to parse the token.
- The Header panel shows the algorithm and token type.
- The Payload panel shows all claims, with expiry status highlighted.
- The Signature section shows the raw signature β verification is not performed (requires your secret key).
Use Load sample to try a demo token without pasting your own credentials.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and authorization. It consists of three Base64url-encoded parts separated by dots: a Header (algorithm), a Payload (claims), and a Signature.
Does this tool verify the JWT signature?
No. Signature verification requires the secret key and must happen server-side. This tool only decodes the header and payload β it shows you the claims but cannot confirm whether the token was legitimately signed.
Is my JWT sent to any server?
No. The token is decoded entirely in your browser using JavaScript string operations. No data is ever transmitted to an external server.
What does "expiring soon" mean?
If the token's exp (expiration) claim is within 5 minutes of the current time, the tool shows an "Expiring soon" warning. Tokens expire at the exact Unix timestamp set in exp.
Why is the signature shown but not verified?
HMAC and RSA signature verification requires the secret or public key, which you should never paste into a web tool. The raw signature bytes are displayed for informational purposes only.
What claims does the payload typically contain?
Common registered claims include sub (subject), iat (issued at), exp (expiration), nbf (not before), iss (issuer), and aud (audience). Applications also add custom private claims specific to their needs.