Free browser-based developer tool

JWT Decoder

Decode JSON Web Tokens and inspect the header, payload, claims, expiry time, issued time, and signature section. Useful for API testing, authentication debugging, OAuth, OpenID Connect, and backend development.

Important: This tool decodes JWT content only. It does not verify the signature, validate trust, confirm authenticity, or prove that the token is safe. Never paste sensitive production tokens into tools you do not trust.

JWT input

Token status

Decoded
HS256Algorithm
JWTType
ActiveExpiry status
3Token parts

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "SHB ToolBox",
  "iat": 1700000000,
  "exp": 1900000000
}

Claims explanation

sub

Value: 1234567890

Subject. Usually identifies the user, account, or entity the token is about.

name

Value: SHB ToolBox

Name claim. Often contains the display name of the user.

iat

Value: 1700000000 (2023-11-14 22:13:20 UTC)

Issued at time. Shows when the token was created.

exp

Value: 1900000000 (2030-03-17 17:46:40 UTC)

Expiration time. After this time, the token should no longer be accepted.

Signature part

The third part of a JWT is the signature. This decoder displays it as text only. Signature verification requires the correct secret or public key and must be done securely in your trusted environment.

demo-signature

Decode JWT tokens online

A JWT, or JSON Web Token, is a compact token format commonly used in authentication, authorization, API access, OAuth flows, OpenID Connect, single sign-on, and backend service communication. A JWT usually contains three parts separated by dots: a header, a payload, and a signature. This JWT decoder helps you read the header and payload in a formatted JSON view so you can understand what claims are inside the token.

Developers often need to decode JWT tokens while debugging login issues, API authorization errors, expired sessions, incorrect user claims, wrong audience values, missing issuer values, or unexpected token payloads. This tool makes the token easier to inspect without manually decoding Base64URL sections.

JWT header decoder

View the token algorithm, token type, key ID, and other header fields where available.

JWT payload decoder

Read user claims, issuer, audience, subject, roles, issued time, expiry time, and custom fields.

Claim explanation

Understand common JWT claims such as exp, iat, nbf, iss, aud, sub, jti, name, email, and roles.

Private workflow

The decoder is designed to run in your browser without account creation.

What are the three parts of a JWT?

A standard JWT has three sections separated by dots. The first section is the header, which usually describes the signing algorithm and token type. The second section is the payload, which contains claims such as user ID, issuer, audience, issued time, expiry time, permissions, or custom application data. The third section is the signature, which is used by trusted systems to verify that the token has not been changed.

JWT decoding is not the same as JWT verification

Decoding a JWT only reads the Base64URL-encoded header and payload. It does not prove that the token is valid, trusted, unmodified, or authorized. To verify a JWT, the server must check the signature using the correct secret or public key, confirm the algorithm, validate expiry, issuer, audience, and other security rules. This online tool is for inspection and debugging, not for security verification.

Common JWT claims

  • sub: Subject of the token, often the user ID.
  • iss: Issuer that created the token.
  • aud: Audience the token is intended for.
  • iat: Issued-at time.
  • exp: Expiration time.
  • nbf: Not-before time.
  • jti: Unique token ID.

When to use a JWT decoder

  • Debugging expired tokens during API testing.
  • Checking whether the expected user ID or role is present.
  • Reviewing OAuth or OpenID Connect ID token claims.
  • Understanding why an API rejects an access token.
  • Inspecting custom claims in a development or staging environment.

JWT safety tips

Do not share live tokens

JWTs can contain access rights. Treat production access tokens like passwords.

Check expiry

The exp claim tells when the token expires, but servers must still validate it.

Verify server-side

Signature verification should happen in your trusted backend or security layer.

Watch sensitive claims

JWT payloads are readable. Avoid storing secrets or private data inside JWT payloads.

FAQ

Is this JWT decoder free?

Yes. You can decode JWT header and payload data for free without creating an account.

Does this verify JWT signatures?

No. This tool decodes JWT content only. It does not verify the signature or confirm token authenticity.

Can JWT payload be read by anyone?

Yes. JWT payloads are encoded, not encrypted, unless a separate encrypted token format is used.

Is my JWT uploaded?

The decoder is designed to process token text in your browser.