JWT Decoder — Decode and Inspect JWT Tokens Online

Free

Decode JWT tokens instantly. View header, payload claims, expiry, and algorithm without a secret key. Free, browser-based, no upload.

decode jwt tokenjwt parser onlineinspect jwt
All Developer Tools

What's next

Decode Base64 manually
Decode individual JWT segments by hand
Generate SHA-256 hash
JWT HMAC signing uses SHA-256 internally
URL decode a token
If the JWT was URL-encoded before transmission

Settings guide

What each part shows:

  • ·Header — Algorithm (alg: HS256, RS256, ES256) and token type (typ: JWT). The algorithm tells you whether it is HMAC symmetric (HS256) or asymmetric RSA/ECDSA (RS256/ES256).
  • ·Payload — All claims. Standard claims: sub (subject/user ID), iss (issuer), aud (audience), exp (expiry Unix timestamp), iat (issued-at timestamp), nbf (not-before). Custom claims are shown as-is.
  • ·Expiry status — The exp claim is compared to the current time. Expired, active, and time-until-expiry are shown clearly.
  • ·Signature — Displayed as raw Base64url but not validated. A note confirms whether the algorithm supports server-side validation.

Format comparison

JWT decoder vs JWT validator: Decoding reads the token's content — no secret key needed, no network call. Validation cryptographically verifies the signature — requires the signing secret or public key, must be done server-side. Never send your signing secret to an online tool. Decode here; validate in your backend code.

HS256 vs RS256 tokens: HS256 (HMAC-SHA256) uses the same secret to sign and verify — shared secret, both parties must know it. RS256 uses a private key to sign and a public key to verify — the public key can be shared freely. If you see RS256 in the header, the token was signed with a private key and can be verified with the corresponding public key (often available at the issuer's JWKS endpoint).

How it works

1

Split on dots

The JWT is split at the two dot separators into three segments: header, payload, and signature. A valid JWT always has exactly two dots — three segments.

2

Decode Base64url

The header and payload segments are Base64url-decoded (replacing - with + and _ with /) and then JSON-parsed to reveal their key-value contents.

3

Parse claims

Standard claims are identified and formatted: exp and iat Unix timestamps are converted to human-readable dates. The exp claim is compared to the current time to show expiry status.

4

Display structure

Header and payload are displayed as formatted JSON with claim names annotated. The raw signature is shown but not validated — validation requires the signing secret, which stays on your server.

About this format

A JWT (JSON Web Token) is three Base64url-encoded segments joined by dots: `header.payload.signature`. The header and payload are plain JSON — readable without a secret key. The signature verifies integrity but requires the secret to validate.

Paste any JWT and see the decoded header (algorithm, token type), full payload with all claims (sub, iss, aud, exp, iat, and any custom claims), and a human-readable expiry timestamp. Useful for debugging authentication failures, confirming which user a token represents, and inspecting claim values during development.

The signature is not validated — this tool is for inspection only. Signature verification requires the signing secret, which should never leave your server.

Frequently asked questions

Is it safe to paste a JWT into an online decoder?+
For development and debugging tokens, yes. For production tokens containing sensitive user data, use with caution — paste only in private/incognito browsing, and prefer your browser's DevTools console (atob() decodes Base64 locally). This tool processes everything locally in your browser — nothing is transmitted to a server.
Can I verify a JWT signature here?+
No. Signature verification requires the signing secret (HS256) or private key (RS256/ES256), which must never be entered into an online tool. This decoder shows token contents only. Verify signatures server-side using your language's JWT library.
What does 'Token expired' mean?+
The exp claim in the payload contains a Unix timestamp for when the token expires. If the current time is past that timestamp, the token is expired and your server should reject it. Check the exp value and compare it to the current Unix timestamp to see how long ago it expired.
What is the difference between HS256 and RS256?+
HS256 (HMAC-SHA256) is symmetric — the same secret key signs and verifies the token. RS256 is asymmetric — a private key signs the token, and a public key verifies it. RS256 is preferred when multiple services need to verify tokens without sharing a secret. The algorithm is visible in the decoded header.
My JWT has four segments (dots) — is it invalid?+
A standard JWT has three segments (two dots). Four segments usually means it is a JWE (JSON Web Encryption) token, not a JWS (signed) JWT. JWE tokens are encrypted and cannot be read without the decryption key — the payload is ciphertext, not readable JSON.

Related tools and guides

base64 decoderurl decoder onlinejwt decoderGuide: jwt authentication explainedAll Developer Tools