MT
My Toolbox

Free Online JWT Decoder — Inspect Tokens Without Sending Them Anywhere

Paste a JSON Web Token and instantly see the decoded header, payload, claims, and expiration status. Everything runs in your browser — your token never leaves your machine.

Paste JWT Token

Your token stays in your browser. Nothing is sent to a server.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to pass claims between two parties. It's the standard bearer token format for OAuth 2.0, OpenID Connect, and most modern API authentication schemes.

A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The header declares the signing algorithm (e.g., HS256, RS256). The payload carries claims — registered claims like "exp" (expiration) and "iat" (issued at), plus any custom data your app needs. The signature ensures the token hasn't been tampered with.

This decoder splits the token, Base64URL-decodes the header and payload, and parses them as JSON. It also checks the "exp" claim against the current time to tell you whether the token is still valid.

How to Use

  1. Paste your JWT into the text area. The token is decoded instantly as you type.
  2. Review the decoded Header to confirm the algorithm and token type.
  3. Check the Payload for claims like sub, exp, iat, and any custom fields.
  4. Look at the Status badge — it tells you if the token is expired or still active.
  5. Click Copy on any section to grab the formatted JSON for debugging.

When You Need This

Debugging authentication flows

Your login works in staging but fails in production. Paste the token from each environment and compare the claims side by side. Different issuers? Wrong audience? Missing roles? You'll see it immediately.

Checking token expiration during development

Your API returns 401 and you're not sure if it's the token or the endpoint. Paste it here to see the exact expiration time in UTC. Saves you from console.log(new Date(payload.exp * 1000)).

Reviewing tokens before sharing logs

Before pasting a token into a Slack thread or bug report, decode it to make sure it doesn't contain PII you shouldn't be sharing. This tool shows you exactly what's in there.

Learning JWT structure

If you're implementing JWT auth for the first time, paste example tokens to see how headers, claims, and signatures fit together. Better than reading the RFC cold.

Security Tips

1.

Never trust a JWT without verifying the signature

Decoding is NOT verification. This tool shows you what's inside the token, but in production you must verify the signature against the issuer's public key or shared secret.

2.

Keep tokens short-lived

Access tokens should expire in minutes, not days. Use refresh tokens for long sessions. If you see a token with exp set weeks into the future, that's a security smell.

3.

Don't put secrets in the payload

JWTs are encoded, not encrypted. Anyone with the token can decode it. Never store passwords, API keys, or sensitive PII in JWT claims.

4.

Check the algorithm header

The "alg":"none" attack is well-documented. If your decoded header shows "none", something is wrong. Production tokens should always use HS256, RS256, or stronger.

Examples

Standard HS256 token

A typical access token with standard claims.

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiZXhwIjoyMDAwMDAwMDAwfQ.signature

Output

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "exp": 2000000000
}

Expired token

A token with exp set in the past — the decoder flags this as expired.

Input

eyJhbGciOiJub25lIn0.eyJleHAiOjF9.signature

Output

Header: { "alg": "none" }
Payload: { "exp": 1 }
Status: EXPIRED (expired 1970-01-01T00:00:01.000Z)

Limitations

  • Decodes only — cannot verify JWT signatures. You cannot confirm whether a token is authentic without the signing key.
  • Does not support encrypted JWTs (JWE). Only signed JWTs (JWS) in the three-part dot-separated format are parsed.
  • Cannot edit or re-sign tokens. This is a read-only inspection tool.
  • Expiration status is based on your local system clock. If your clock is skewed, the "expired" indicator may be inaccurate.

Features

  • Instant decoding as you type — no button clicks needed
  • 100% client-side, zero network requests after page load
  • Expiration status with exact timestamp in UTC
  • Separate display of header, payload, and signature
  • One-click copy for each decoded section
  • Privacy-first: your token never leaves your browser

FAQ

Is it safe to paste my production JWT here?

Yes. This tool runs entirely in your browser using JavaScript's built-in atob() function. Open DevTools → Network tab and verify: zero requests fire when you paste a token. Your data stays local.

Can this tool verify the signature?

No. Signature verification requires the signing key (a shared secret for HS256, or the public key for RS256). This tool only decodes and displays the token contents. For verification, use your backend JWT library.

Why does my token show as expired even though login still works?

You might be looking at an old access token while your app is silently using a refresh token to get new ones. Or your server clock and browser clock are out of sync. The decoder uses your browser's current time for the check.

What does "alg: none" mean?

It means the token has no cryptographic signature. This is a known attack vector (CVE-2015-9235). Legitimate systems never use "none" in production. If you see this in a real token, investigate immediately.

Can I decode JWE (encrypted tokens)?

No. This tool handles JWS (signed tokens) only. JWE tokens are encrypted and require the decryption key to read the payload. They look similar but have 5 dot-separated parts instead of 3.

Content last reviewed: June 2026

Your Privacy

All JWT decoding happens entirely in your browser. No tokens are uploaded to any server. Your authentication tokens never leave your device — verify by checking the Network tab in DevTools.

Tips & Related Workflows