JWT Decoder
Decode JSON Web Tokens locally in your browser. View the header, payload, common claims, UTC timestamps and local timestamps without uploading the token.
Paste JWT token
Decoded locally. Signature validation is not performed.
Token information
Structural status, algorithm, type and common time claims.
Header
Payload
Common claims
Quick JWT decoder examples
What is a JWT?
A JWT, or JSON Web Token, is a compact way to represent claims as JSON and pass them between systems. JWTs are common in API authentication, single sign-on, mobile apps, cloud identity platforms and service-to-service communication. A decoded JWT often contains details such as issuer, audience, subject, expiration time and the algorithm named in the header.
JWTs are easy to copy and transmit because they use URL-safe Base64 sections separated by dots. That makes them convenient, but it also means the header and payload are not secret by default. Anyone who has the token can decode those parts.
JWT structure explained
Most JWTs have three sections: header, payload and signature. They look like header.payload.signature. The header usually says which algorithm is referenced and that the token type is JWT. The payload contains claims. The signature is used by a validating system to check whether the token was created by a trusted party and has not been changed.
This tool decodes the header and payload only. It does not check a secret, public key, issuer configuration or audience rule, so it cannot prove that a token is authentic.
Header, Payload and Signature
The header is metadata. The payload is the claim set. The signature is the part a server validates using a trusted key or secret. Decoding is useful for reading token contents, while validation is what decides whether an application should trust the token.
Common JWT claims
Common claims include sub for subject, iss for issuer, aud for audience, exp for expiration, iat for issued at, nbf for not before and jti for token ID. Time claims are usually Unix timestamps in seconds. This decoder converts those values to UTC and local browser time so they are easier to inspect.
Why developers decode JWTs
Developers decode JWTs to debug sign-in flows, API authorization, expired sessions, incorrect audiences, missing scopes, identity provider settings and claim mapping. DevOps and cloud engineers may inspect tokens when configuring gateways, load balancers, serverless functions or application middleware.
JWT security basics
Treat real tokens carefully. Do not paste production tokens into public chats, issue trackers or screenshots. Avoid storing passwords, secrets or sensitive personal data in JWT payloads because payloads are only encoded, not encrypted. Always validate signatures and claims on the server or trusted backend before granting access.
Common JWT decoding mistakes
Thinking decoding verifies authenticity
Decoding only reads the token contents. It does not prove the signature is valid or that an application should trust the token.
Sharing production tokens publicly
Production tokens can contain access rights or identifying data. Handle them like sensitive credentials, even when you only plan to decode them.
Ignoring expiration times
The exp claim is one of the first things to check when an API call fails. This tool flags expired tokens structurally, but your app still needs real validation.
Storing sensitive information in JWT payloads
JWT payloads are encoded, not hidden. Avoid putting secrets, passwords or private data in payloads unless the token is encrypted with an appropriate design.
Assuming JWT payloads are encrypted
A normal signed JWT can be decoded by anyone who has it. Encryption is a different token design and should not be assumed from the JWT format alone.
Free online JWT decoder
This JWT decoder helps developers, DevOps engineers, cloud engineers, API developers, security engineers and students inspect JSON Web Tokens quickly. Paste a token, decode the header and payload, read common claims and convert time-based claims into both UTC and local browser time. Everything runs locally in your browser.
The tool is useful when debugging access tokens, ID tokens, API gateway behavior, authentication middleware, OAuth flows, OpenID Connect integrations and cloud identity configuration. You can load a safe example token, copy the decoded header or payload and use Ctrl or Cmd + Enter to decode while editing.
Decoded locally, not validated
Decoding and validation are not the same. This page decodes token structure and displays helpful claim information, but it does not perform cryptographic signature verification. A production system must validate the signature, issuer, audience, lifetime and other rules using trusted server-side configuration.
JWT Decoder FAQ
What is a JWT?
A JWT, or JSON Web Token, is a compact token format often used to pass identity and authorization claims between systems.
Can this tool verify signatures?
No. This tool decodes JWT structure and claims only. It does not verify cryptographic signatures.
Does this tool upload my token?
No. JWT decoding happens locally in your browser and tokens are never uploaded or transmitted.
What does exp mean?
The exp claim is the expiration time. It is usually a Unix timestamp that says when the token should stop being accepted.
What does iat mean?
The iat claim means issued at. It is usually a Unix timestamp showing when the token was created.
What is the difference between decoding and validation?
Decoding reads the token contents. Validation verifies signature, issuer, audience, expiration and other rules using trusted configuration.
Can I use this with Auth0 tokens?
Yes. You can decode Auth0 JWTs locally to inspect their header and payload, but signature validation is not performed.
Can I use this with Azure AD tokens?
Yes. You can decode Azure AD JWTs locally to inspect claims and timestamps, but signature validation is not performed.
Is this tool free?
Yes. The JWT decoder is free to use and runs in your browser.