Developer Security Tools

Online JWT Decoder

Decode, Debug, and Inspect JSON Web Tokens instantly. View Header, Payload, and Expiry times in a readable format. Secure, client-side, and free.

Waiting for token...
Header (Algorithm & Type)
// Header data will appear here
Payload (Data)
// Payload data will appear here

What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs are widely used in modern web development for Authentication (logging in users) and Information Exchange. When a user logs in, the server generates a token that the client (browser) saves and sends back with every request to prove identity.

Key Features

100% Client-Side

Tokens are decoded locally in your browser. No data is ever sent to a server.

Syntax Highlighting

Beautifully formatted JSON output with color coding for easy reading.

Date Conversion

Automatically converts Unix timestamps (iat, exp, nbf) into human-readable dates.

Format Validation

Instantly detects malformed tokens or invalid Base64 strings.

How to Decode a Token

Debugging authentication issues is easy with our tool. Follow these steps:

1

Get Token

Copy the JWT string. It usually looks like eyJhbG... and is found in your browser's Local Storage or Cookies.

2

Paste It

Paste the string into the input box on this page. The tool will auto-detect the format.

3

Inspect

View the decoded Header and Payload. Check the "exp" field to see if the token is still valid.

The Anatomy of a JWT

Developer Note: JWTs are Base64Url encoded, NOT encrypted. This means anyone who has the token can read the data inside. Never store sensitive information like passwords in a JWT payload.

A JWT is composed of three parts separated by dots (.):

  • Header

    Contains metadata about the token, typically the type of token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).

  • Payload

    Contains the claims. Claims are statements about an entity (typically, the user) and additional data like user ID, roles, and expiration time.

  • Signature

    Used to verify that the message wasn't changed along the way. In the case of tokens signed with a private key, it can also verify that the sender is who they say they are.

Frequently Asked Questions

Is it safe to decode my production tokens here?
Yes, absolutely. This tool operates entirely on the client-side using JavaScript. Your JWTs are processed within your own browser and are never sent to our servers or any third-party.
Can I verify the JWT signature?
For security reasons, we do not allow inputting secret keys on the frontend to verify signatures. Signature verification should strictly be done on your secure backend server.
How do I check if my token is expired?
Paste your token into the tool. We automatically extract the 'exp' (expiration) claim and convert the Unix timestamp into a readable date, showing you exactly when it expires.
What algorithms are supported?
The decoder works with any valid JWT structure, regardless of the algorithm (HS256, RS256, ES256, etc.), as decoding Base64Url does not require knowledge of the algorithm.
What is a 'Bearer' token?
Bearer tokens are the predominant type of access token used with OAuth 2.0. The term 'Bearer' means 'give access to the bearer of this token'. You often see 'Authorization: Bearer <token>' in HTTP headers.

More Developer Utilities

JSON Formatter Code Minifier