JWT Decoder
Security ToolsDecode and inspect JSON Web Tokens with expiry status
About JWT Decoder
JWTs (JSON Web Tokens) consist of three Base64URL-encoded sections separated by dots: a header containing the algorithm, a payload containing the claims, and a signature for verification. This tool decodes the header and payload sections and displays them as formatted JSON, making it easy to inspect the contents of any JWT without writing code. The header typically contains the algorithm (alg) — HS256, RS256, ES256 — and the token type. The payload contains the actual claims: the subject (sub), issuer (iss), audience (aud), expiration time (exp), and any custom claims your application adds. The tool parses the exp and iat (issued at) claims as timestamps and shows them as human-readable dates, and indicates whether the token is currently valid or expired — useful for debugging authentication issues where a token looks correct but is being rejected. Important limitation: this tool decodes but does not verify. Verifying a JWT signature requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA and EC algorithms like RS256, ES256). Signature verification must happen server-side. Decoding alone is sufficient for inspecting claims during development and debugging — but never trust a decoded JWT's claims in production code without verifying the signature first.
How to Use JWT Decoder Online
- Paste your data into the input field above
- The result appears instantly in the output area
- Click "Copy" to copy the result to your clipboard
Decode and inspect JSON Web Tokens with expiry status. Runs 100% client-side — no data is sent to any server.