JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and signature information.
How to use
- 1 Paste a JWT token (the three-part dot-separated string) into the input field.
- 2 The header and payload are decoded instantly — no server call is made.
- 3 Dates like exp (expiry) and iat (issued at) are shown in human-readable format.
- 4 The tool tells you if the token is expired. Note: signature verification requires the secret key.
Key features
- Decodes JWT header, payload, and signature without any server request
- Translates exp, iat, and nbf timestamps to human-readable dates
- Tells you if the token is currently expired
- Safe to use — only decoding, never sending tokens anywhere
What is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64url-encoded parts separated by dots: header.payload.signature. The header describes the algorithm; the payload carries claims (statements about an entity); the signature verifies the token was issued by a trusted party.
JWTs are not encrypted by default — the header and payload are just Base64 encoded, which means anyone can decode and read their contents. The signature only proves the token hasn't been tampered with. If you need confidentiality, use JWE (JSON Web Encryption) instead.
Common Use Cases
Debugging authentication flows
Decode a token from an Authorization header or cookie to inspect its claims and verify expiry.
Checking token expiry
Decode the exp claim and compare it to the current time to understand why a request is returning 401.
Third-party OAuth tokens
Inspect access tokens from Google, GitHub, Auth0, or Okta to see what claims and scopes they carry.
API integration testing
Verify the payload of a token during development to confirm the correct user ID, roles, and permissions are included.
Understanding OIDC ID tokens
OpenID Connect ID tokens are JWTs. Decode one to inspect the user's identity claims (name, email, etc.).
Debugging microservices auth
In a service mesh, each service validates JWTs. Decode the token to trace which claims are being passed downstream.
Standard JWT Claims
Registered claims defined in RFC 7519 that you'll encounter in most tokens.
| Claim | Name | Meaning |
|---|---|---|
| iss | Issuer | Who issued the token (e.g. auth.example.com) |
| sub | Subject | Who the token is about (user ID) |
| aud | Audience | Intended recipient of the token |
| exp | Expiration | Unix timestamp: token is invalid after this |
| iat | Issued at | Unix timestamp: when the token was created |
| nbf | Not before | Token is invalid before this timestamp |