A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data exchange between services. JWTs consist of three Base64URL-encoded parts: header, payload, and signature. Paste your JWT below to instantly decode and inspect every claim, check expiration status, and copy the decoded JSON.
Paste JWT Token
Invalid JWT Token
How to Use the JWT Decoder
JSON Web Tokens (JWTs) are the backbone of modern web authentication. Every time you log into a web application that uses OAuth 2.0, OpenID Connect, or a custom token-based auth system, you receive a JWT that encodes your identity and permissions. Our free JWT decoder lets you instantly inspect any token's contents without installing software or sharing your tokens with a server.
Step 1: Paste Your JWT Token
Copy your JWT token from your browser's developer tools, an API response, an authorization header, or a cookie. Paste it into the input textarea above. The token should be a string with three parts separated by dots, like xxxxx.yyyyy.zzzzz. The decoder starts working immediately as you type or paste.
Step 2: Inspect the Decoded Sections
The decoded JWT is displayed in three color-coded sections matching the jwt.io convention. The Header (blue) shows the signing algorithm and token type. The Payload (green) reveals all claims including user data, permissions, and timestamps. The Signature (red) shows the Base64-encoded cryptographic signature.
Step 3: Check Token Expiry and Timestamps
If the JWT contains an exp claim, the tool automatically checks whether the token has expired and displays the expiration time in a human-readable format. The iat (issued at) and nbf (not before) timestamps are also shown when present, making it easy to understand the token's validity window.
Step 4: Copy Decoded JSON
Use the copy buttons on each section to quickly copy the formatted JSON for the header or payload. This is useful when you need to share decoded token data with teammates, paste it into documentation, or compare claims across different tokens during debugging sessions.
Common Use Cases
Developers frequently use a JWT decoder to debug authentication issues, verify that tokens contain the correct claims and scopes, check if tokens are expired, inspect tokens received from third-party identity providers like Auth0 or Firebase, and understand the token structure when implementing JWT-based APIs.
Frequently Asked Questions
Is this JWT decoder completely free?
Yes, our JWT decoder is 100% free with no usage limits, no premium tiers, and no account required. You can decode as many tokens as you need, as often as you like.
Is my JWT token safe when using this tool?
Absolutely. All decoding happens entirely in your browser using client-side JavaScript. Your JWT token is never sent to any server, never stored, and never logged. You can verify this by disconnecting from the internet and using the tool offline.
What is a JSON Web Token (JWT)?
A JSON Web Token is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims and data), and a signature (for verification). JWTs are widely used for authentication and authorization in web applications.
Can this tool verify JWT signatures?
This tool decodes and inspects JWT tokens but does not verify cryptographic signatures, as that requires the signing secret or public key. It checks structural validity, decodes the header and payload, and highlights expired tokens based on the exp claim.
How do I know if my JWT token has expired?
When you paste a JWT token, the tool automatically checks the exp (expiration) claim in the payload against the current time. If the token has expired, it is clearly highlighted in red with the exact expiry date and time shown in a human-readable format.
What JWT claims are displayed?
The tool displays all claims in the payload, including standard registered claims like iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID), as well as any custom claims your token contains.
What does the three-part JWT structure mean?
The three parts separated by dots are: the Header (blue) which specifies the signing algorithm and token type, the Payload (green) which contains the claims and user data, and the Signature (red) which is a cryptographic hash used to verify the token's integrity. Each part is Base64URL-encoded.