Free JWT Decoder — Inspect Token Header & Payload Online
Decode and inspect JWT tokens — header, payload, and signature — without any verification.
About this tool
Paste any JWT (JSON Web Token) to instantly decode and inspect its header and payload. See all claims including expiry time (exp), issued-at (iat), issuer (iss), and custom claims. The signature section is displayed but not verified — this tool is purely for inspection and debugging.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token made up of three Base64url-encoded parts: a header (algorithm and token type), a payload (claims about the user or session), and a signature. They are the industry standard for authentication — when you log in to a web app, you almost certainly receive a JWT.
Reading Your Token
The payload contains key claims: `sub` (user ID), `exp` (expiry), `iat` (issued at), `iss` (issuer), and any custom claims your app adds. The decoder shows all of these in formatted JSON, with `exp` and `iat` Unix timestamps converted to human-readable dates automatically.
keyInspect Any JWT Instantly
Paste your JWT and see the decoded header, payload, and all claims in formatted JSON. Expiry and issued-at timestamps are converted to readable dates — no manual Unix timestamp conversion needed.
JWTs are decoded entirely client-side — your token never leaves your browser. Safe to use for local debugging.
Quick Usage Guide
- 1Decode JWT header and payload with formatted JSON output
- 2Displays all standard claims: exp, iat, nbf, iss, aud, sub
- 3Human-readable expiry and issued-at timestamps
- 4Signature section shown for reference (not verified)
- 5100% browser-based — tokens never leave your device
Frequently Asked Questions
help_outlineDoes this tool verify the JWT signature?
No. This tool only decodes (base64url-decodes) the header and payload portions of the JWT for inspection. Signature verification requires the secret key or public key and is not performed here.
verifiedIs it safe to paste my JWT here?
All decoding happens entirely in your browser — nothing is sent to any server. That said, JWTs may contain sensitive claims, so avoid pasting production tokens in shared or public environments.
quizWhat are JWT claims?
Claims are key-value pairs in the JWT payload that describe the token subject. Standard claims include sub (subject/user ID), exp (expiry timestamp), iat (issued at), iss (issuer), and aud (audience). Applications also add custom claims.
account_balance_walletWhy does my JWT show as expired?
The exp (expiration) claim is a Unix timestamp. If the current time is past that timestamp, the token is considered expired. This tool displays the human-readable expiry time so you can see at a glance whether the token is still valid.