Free browser-based developer tool
JWT Decoder
Decode JSON Web Tokens and inspect the header, payload, claims, expiry time, issued time, and signature section. Useful for API testing, authentication debugging, OAuth, OpenID Connect, and backend development.
JWT input
Token status
DecodedHeader
{
"alg": "HS256",
"typ": "JWT"
}Payload
{
"sub": "1234567890",
"name": "SHB ToolBox",
"iat": 1700000000,
"exp": 1900000000
}Claims explanation
sub
Value: 1234567890
Subject. Usually identifies the user, account, or entity the token is about.
name
Value: SHB ToolBox
Name claim. Often contains the display name of the user.
iat
Value: 1700000000 (2023-11-14 22:13:20 UTC)
Issued at time. Shows when the token was created.
exp
Value: 1900000000 (2030-03-17 17:46:40 UTC)
Expiration time. After this time, the token should no longer be accepted.
Signature part
The third part of a JWT is the signature. This decoder displays it as text only. Signature verification requires the correct secret or public key and must be done securely in your trusted environment.
demo-signature
Decode JWT tokens online
A JWT, or JSON Web Token, is a compact token format commonly used in authentication, authorization, API access, OAuth flows, OpenID Connect, single sign-on, and backend service communication. A JWT usually contains three parts separated by dots: a header, a payload, and a signature. This JWT decoder helps you read the header and payload in a formatted JSON view so you can understand what claims are inside the token.
Developers often need to decode JWT tokens while debugging login issues, API authorization errors, expired sessions, incorrect user claims, wrong audience values, missing issuer values, or unexpected token payloads. This tool makes the token easier to inspect without manually decoding Base64URL sections.
JWT header decoder
View the token algorithm, token type, key ID, and other header fields where available.
JWT payload decoder
Read user claims, issuer, audience, subject, roles, issued time, expiry time, and custom fields.
Claim explanation
Understand common JWT claims such as exp, iat, nbf, iss, aud, sub, jti, name, email, and roles.
Private workflow
The decoder is designed to run in your browser without account creation.
What are the three parts of a JWT?
A standard JWT has three sections separated by dots. The first section is the header, which usually describes the signing algorithm and token type. The second section is the payload, which contains claims such as user ID, issuer, audience, issued time, expiry time, permissions, or custom application data. The third section is the signature, which is used by trusted systems to verify that the token has not been changed.
JWT decoding is not the same as JWT verification
Decoding a JWT only reads the Base64URL-encoded header and payload. It does not prove that the token is valid, trusted, unmodified, or authorized. To verify a JWT, the server must check the signature using the correct secret or public key, confirm the algorithm, validate expiry, issuer, audience, and other security rules. This online tool is for inspection and debugging, not for security verification.
Common JWT claims
- sub: Subject of the token, often the user ID.
- iss: Issuer that created the token.
- aud: Audience the token is intended for.
- iat: Issued-at time.
- exp: Expiration time.
- nbf: Not-before time.
- jti: Unique token ID.
When to use a JWT decoder
- Debugging expired tokens during API testing.
- Checking whether the expected user ID or role is present.
- Reviewing OAuth or OpenID Connect ID token claims.
- Understanding why an API rejects an access token.
- Inspecting custom claims in a development or staging environment.
JWT safety tips
Do not share live tokens
JWTs can contain access rights. Treat production access tokens like passwords.
Check expiry
The exp claim tells when the token expires, but servers must still validate it.
Verify server-side
Signature verification should happen in your trusted backend or security layer.
Watch sensitive claims
JWT payloads are readable. Avoid storing secrets or private data inside JWT payloads.
FAQ
Is this JWT decoder free?
Yes. You can decode JWT header and payload data for free without creating an account.
Does this verify JWT signatures?
No. This tool decodes JWT content only. It does not verify the signature or confirm token authenticity.
Can JWT payload be read by anyone?
Yes. JWT payloads are encoded, not encrypted, unless a separate encrypted token format is used.
Is my JWT uploaded?
The decoder is designed to process token text in your browser.