Free online JWT decoder. Paste any JSON Web Token and instantly decode the header, payload, and signature. See expiry time, issued-at, token type, and all claims. 100% client-side — your tokens never leave your browser.
FreeNo login100% browser-basedNo data sent to servers
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm), a payload (claims like user ID and expiry), and a signature. The signature is cryptographic — this tool decodes and displays the header and payload but does not verify the signature, which requires the secret key.
Paste any JWT to instantly see its decoded contents. Expiry time (exp), issued-at (iat), and not-before (nbf) claims are automatically converted to human-readable dates. Useful for debugging auth flows, inspecting third-party tokens, and checking expiry during development.
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe way of representing claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, expiry, roles), and a signature used to verify the token hasn't been tampered with.
Is it safe to paste my JWT token here?
Yes. This tool runs entirely in your browser using JavaScript. Your JWT is never sent to any server. That said, you should still avoid sharing real production tokens containing sensitive user data. For testing, use tokens from your development environment.
What do the JWT claims mean?
Common JWT claims: 'sub' (subject, usually user ID), 'iss' (issuer), 'aud' (audience), 'exp' (expiry timestamp), 'iat' (issued at timestamp), 'nbf' (not before timestamp), 'jti' (unique token ID). Custom claims are defined by your application.
Why does this tool show 'expired'?
The 'exp' claim in the JWT payload is a Unix timestamp. If that timestamp is in the past, the token is expired. This is normal — JWTs have short lifetimes (often 15 minutes to 24 hours) for security reasons. You'll need to obtain a fresh token from your authentication server.
Can this tool verify the JWT signature?
This tool decodes the header and payload — it does not verify the cryptographic signature, as that requires your server's secret key or public key. For signature verification, use your server-side JWT library (e.g. jsonwebtoken for Node.js, PyJWT for Python, or java-jwt for Java).
Can I decode a JWT without the secret key?
Yes — the header and payload are Base64url-encoded, not encrypted. Anyone can decode them without the secret. The secret is only needed to VERIFY the signature (prove the token wasn't tampered with). Never put sensitive data in JWT payloads that you don't want users to see.
What does "JWT signature invalid" mean?
It means the token's signature doesn't match the header + payload. This happens when: the token was tampered with, you're using the wrong secret, the token was signed with a different algorithm than expected, or the token has expired. Decode the payload to check the exp (expiry) timestamp.