JWT Decoder

Decode and inspect JSON Web Tokens online free. View the JWT header, payload, and claims without your secret key — client-side only, no data sent anywhere.

How to Use JWT Decoder

1Paste your JWT token (the full header.payload.signature string) into the input field.
2The header and payload decode automatically as formatted JSON.
3Check the exp (expiry), iat (issued at), and sub (subject) claims in the payload.
4Review all other claims — roles, permissions, user ID — as needed.
5Note: the tool decodes only. It does not verify the signature or validate the token.

About JWT Decoder

This JWT decoder online free lets you inspect any JSON Web Token instantly, without needing your secret key. Paste the full header.payload.signature string and the tool immediately displays the decoded header and payload as formatted, readable JSON.

When you need to decode JSON Web Token data to debug an authentication issue — checking whether the correct user ID is in the sub claim, verifying the exp (expiry) timestamp, or reading custom role and permission claims — this tool shows everything clearly with no setup required.

As a JWT inspector online, it is particularly useful during API development: paste tokens from your auth server, Postman, or browser DevTools and read every claim in seconds. All decoding happens in your browser using standard Base64 decoding — nothing is sent to any server, making it safe to use with real production tokens.

Note: this tool reads (decodes) the token contents only. It does not verify the signature or validate the token's authenticity.

How JWT Decoder Works

The JWT Decoder parses a JSON Web Token and decodes its three Base64URL-encoded parts: the header, the payload, and the signature. JWTs consist of three dot-separated segments: Header.Payload.Signature. The header contains the algorithm (e.g. HS256, RS256) and token type. The payload contains the claims — data assertions such as user ID, expiry time (exp), issued-at (iat), and any custom application data. The signature verifies that the token was not tampered with. Our decoder reads the header and payload without needing the secret key, since those are only Base64-encoded (not encrypted). It also displays the expiry and issued-at timestamps in human-readable format and flags whether the token is expired.

Who Uses This Tool and Why

✓Developers debugging JWT-based authentication systems decode tokens to inspect claims, verify expiry times, and check that the correct scopes and roles are being embedded.
✓API developers decode JWT tokens to confirm that their authentication server is correctly embedding required claims before testing downstream API calls.
✓Security engineers audit JWT payloads in penetration testing engagements to check for sensitive data exposure, weak algorithms (HS256 with short secrets), or missing expiry claims.
✓Frontend developers decode access tokens returned by OAuth/OIDC providers (Auth0, Cognito, Okta) to extract user information for UI personalisation without a separate profile API call.
✓DevOps engineers debug Kubernetes RBAC and service mesh authentication issues by decoding service account tokens to verify namespace, audiences, and expiry.

Limitations & Practical Tips

Known Limitations

•The decoder reads and displays the header and payload, which are only Base64URL-encoded, not encrypted. Never embed sensitive secrets or PII in JWT payloads unless the token is encrypted (JWE).
•Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) — this tool only decodes; it does not validate the signature.
•The tool does not support JWE (JSON Web Encryption) tokens — only JWS (signed) tokens with a readable payload.

Tips for Best Results

→Always check the "alg" claim in the header. Tokens using "alg: none" have no signature and should be rejected by any secure server. Prefer RS256 or ES256 over HS256 for production.
→The "exp" claim is a Unix timestamp (seconds since epoch). If the current time is past exp, the token is expired and should not be accepted.
→Never log full JWTs in application logs — even though the payload is readable, a stolen token can be replayed against the API until it expires.

Frequently Asked Questions

What is a JWT (JSON Web Token)?: A JWT is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm), payload (claims/data), and signature. JWTs are commonly used for authentication and API authorization.
Is it safe to decode a JWT publicly?: The header and payload of a JWT are Base64-encoded, not encrypted — anyone who has the token can decode it. Never paste tokens that are still active and contain sensitive data (API keys, PII) into any online tool. Use this decoder for debugging expired tokens or non-sensitive development tokens.
What are the standard JWT claims?: Common registered claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time as Unix timestamp), iat (issued at), nbf (not before), and jti (JWT ID). The exp field is shown as both a timestamp and human-readable date in this decoder.
Can this tool verify a JWT signature?: No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). Exposing those keys to a browser-based tool would be insecure. This decoder only decodes the header and payload. Use your server-side JWT library (jsonwebtoken, PyJWT, etc.) to verify signatures.
What does "token is expired" mean?: If the payload contains an exp (expiration) claim and the current time is past that Unix timestamp, the token is expired and a server should reject it. Expired tokens are valid for debugging and decoding but should not be used for authentication.
What algorithms are used to sign JWTs?: The most common are HS256 (HMAC-SHA256, symmetric shared secret), RS256 (RSA-SHA256, asymmetric public/private key pair), and ES256 (ECDSA-SHA256). HS256 is simpler but requires sharing the secret. RS256/ES256 allow the public key to be distributed freely for verification without exposing the signing key.
What is the difference between JWT and session cookies?: Session cookies store a session ID server-side and look up user data in a database per request. JWTs are stateless — all user data is encoded in the token itself. JWTs eliminate the database lookup on each request, making them popular for distributed systems and microservices, at the cost of not being revocable without extra infrastructure.

Looking for more tools like this? Browse all Developer Tools →

More Developer Tools

JSON Formatter

Format, validate, and minify JSON online. Instantly beautify or compress JSON data with syntax highlighting. Free JSON formatter and validator.

Base64 Encoder / Decoder

Encode text to Base64 or decode Base64 strings back to plain text online. Free Base64 encoder decoder tool for developers and data analysts.

URL Encoder / Decoder

Encode or decode URLs and query strings online. Convert special characters to percent-encoding instantly. Free URL encoder decoder for developers.

Password Generator

Generate strong, random passwords instantly. Customize length and character types. Free secure password generator tool for safe online accounts.

Color Converter

Convert colors between HEX, RGB, HSL, and HSB online free. Pick colors visually and copy CSS values in any format instantly — no signup needed.

Unix Timestamp Converter

Convert Unix timestamps to human-readable dates and times online free. Convert dates to Unix timestamps in seconds or milliseconds instantly.

Word Counter

Count words, characters, sentences, and paragraphs instantly. Free online word counter tool with reading time estimate for writers and students.

Character Counter

Count characters with and without spaces instantly. Free online character counter for Twitter, Instagram, SMS, and meta tag length limits.

Percentage Calculator

Calculate percentages, percentage change, and what percent one number is of another. Free online percentage calculator for everyday math.

Last updated: May 2, 2026 — JWT Decoder by CalcDash.

How to Use JWT Decoder

1Paste your JWT token (the full header.payload.signature string) into the input field.

2The header and payload decode automatically as formatted JSON.

3Check the exp (expiry), iat (issued at), and sub (subject) claims in the payload.

4Review all other claims — roles, permissions, user ID — as needed.

5Note: the tool decodes only. It does not verify the signature or validate the token.

About JWT Decoder

Note: this tool reads (decodes) the token contents only. It does not verify the signature or validate the token's authenticity.

How JWT Decoder Works

Who Uses This Tool and Why

✓Developers debugging JWT-based authentication systems decode tokens to inspect claims, verify expiry times, and check that the correct scopes and roles are being embedded.

✓API developers decode JWT tokens to confirm that their authentication server is correctly embedding required claims before testing downstream API calls.

✓Security engineers audit JWT payloads in penetration testing engagements to check for sensitive data exposure, weak algorithms (HS256 with short secrets), or missing expiry claims.

✓Frontend developers decode access tokens returned by OAuth/OIDC providers (Auth0, Cognito, Okta) to extract user information for UI personalisation without a separate profile API call.

✓DevOps engineers debug Kubernetes RBAC and service mesh authentication issues by decoding service account tokens to verify namespace, audiences, and expiry.

Limitations & Practical Tips

Known Limitations

•The decoder reads and displays the header and payload, which are only Base64URL-encoded, not encrypted. Never embed sensitive secrets or PII in JWT payloads unless the token is encrypted (JWE).
•Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) — this tool only decodes; it does not validate the signature.
•The tool does not support JWE (JSON Web Encryption) tokens — only JWS (signed) tokens with a readable payload.

Tips for Best Results

→Always check the "alg" claim in the header. Tokens using "alg: none" have no signature and should be rejected by any secure server. Prefer RS256 or ES256 over HS256 for production.
→The "exp" claim is a Unix timestamp (seconds since epoch). If the current time is past exp, the token is expired and should not be accepted.
→Never log full JWTs in application logs — even though the payload is readable, a stolen token can be replayed against the API until it expires.

Frequently Asked Questions

What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm), payload (claims/data), and signature. JWTs are commonly used for authentication and API authorization.

Is it safe to decode a JWT publicly?

The header and payload of a JWT are Base64-encoded, not encrypted — anyone who has the token can decode it. Never paste tokens that are still active and contain sensitive data (API keys, PII) into any online tool. Use this decoder for debugging expired tokens or non-sensitive development tokens.

What are the standard JWT claims?

Common registered claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time as Unix timestamp), iat (issued at), nbf (not before), and jti (JWT ID). The exp field is shown as both a timestamp and human-readable date in this decoder.

Can this tool verify a JWT signature?

No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA). Exposing those keys to a browser-based tool would be insecure. This decoder only decodes the header and payload. Use your server-side JWT library (jsonwebtoken, PyJWT, etc.) to verify signatures.

What does "token is expired" mean?

If the payload contains an exp (expiration) claim and the current time is past that Unix timestamp, the token is expired and a server should reject it. Expired tokens are valid for debugging and decoding but should not be used for authentication.

What algorithms are used to sign JWTs?

The most common are HS256 (HMAC-SHA256, symmetric shared secret), RS256 (RSA-SHA256, asymmetric public/private key pair), and ES256 (ECDSA-SHA256). HS256 is simpler but requires sharing the secret. RS256/ES256 allow the public key to be distributed freely for verification without exposing the signing key.

What is the difference between JWT and session cookies?

Session cookies store a session ID server-side and look up user data in a database per request. JWTs are stateless — all user data is encoded in the token itself. JWTs eliminate the database lookup on each request, making them popular for distributed systems and microservices, at the cost of not being revocable without extra infrastructure.

JWT Decoder

How to Use JWT Decoder

About JWT Decoder

How JWT Decoder Works

Who Uses This Tool and Why

Limitations & Practical Tips

Known Limitations

Tips for Best Results

Frequently Asked Questions

More Developer Tools

JSON Formatter

Base64 Encoder / Decoder

URL Encoder / Decoder

Password Generator

Color Converter

Unix Timestamp Converter

You Might Also Like

Word Counter

Character Counter

Percentage Calculator

JWT Decoder

How to Use JWT Decoder

About JWT Decoder

How JWT Decoder Works

Who Uses This Tool and Why

Limitations & Practical Tips

Known Limitations

Tips for Best Results

Frequently Asked Questions

More Developer Tools

JSON Formatter

Base64 Encoder / Decoder

URL Encoder / Decoder

Password Generator

Color Converter

Unix Timestamp Converter

You Might Also Like

Word Counter

Character Counter

Percentage Calculator