How do I check what's inside a JWT?

Paste the token — the tool shows header and payload as pretty-printed JSON, with timestamps (iat, exp, nbf) converted to human-readable dates. Useful for debugging API auth, checking user claims, and verifying token contents during OAuth integration.

Is JWT secure if I can decode it?

JWTs are signed, NOT encrypted. The payload is Base64-encoded JSON — anyone with the token can read it. Security comes from the signature: the issuer signs it so any tampering invalidates the token. Never put secrets in a JWT payload — only identifiers and claims.

How do I check if a JWT is expired?

The tool checks the 'exp' claim against current time. Shows EXPIRED or VALID in red/green. Useful when debugging 401 Unauthorized errors that might be expired-token issues.

Can I verify the signature?

If you provide the secret (HS256) or public key (RS256), yes — toggle 'verify signature' mode. Otherwise the tool only decodes (does not verify). For production debugging, always also verify on the server with the actual secret.

Are my tokens uploaded?

No — decoding runs entirely in the browser. Critical: never paste production tokens into untrusted online JWT decoders — even read access to a session token can let an attacker impersonate the user until it expires. This tool is browser-only with no logging.

What are the most common JWT claims?

iss (issuer), sub (subject / user ID), aud (audience / intended API), exp (expiry timestamp), iat (issued-at timestamp), nbf (not-before), jti (JWT ID). Plus custom claims: role, permissions, tenant_id, etc., depending on your app.

JWT Decoder - Decode JSON Web Tokens & Check Expiry Online

Paste any JSON Web Token to instantly decode its header and payload, view the signature, and check whether it has expired. Runs locally — your tokens never leave your browser.

Encoded JWT

This tool only decodes the token — it does not verify the signature against a secret or public key. Anyone with the token can read its payload, so never put secrets in a JWT.

Files are auto-deleted after processingNo watermarksFree to use — no signup required

Done with JWT Decoder? Try these next

Hand-picked tools that pair well with JWT Decoder. Keep going without losing your file.

View all tools

Base64 Encoder / Decoder

Encode any text or file to Base64 (with URL-safe variant), or decode Base64 back to text. UTF-8 safe.

Try it now

Hash Generator

Compute SHA-1, SHA-256, SHA-384 and SHA-512 hex digests of any text or file using the browser's Web Crypto API.

Try it now

JSON Prettify

Format, validate and minify JSON in your browser. Pretty 2 / 4 / 8 space indent or one-line minify with copy + download.

Try it now

URL Encoder / Decoder

Percent-encode URL components or whole URLs, and decode them back. encodeURIComponent and encodeURI modes.

Try it now

Password Generator

Generate strong cryptographically-random passwords up to 128 characters with live entropy estimation.

Try it now

Diff Checker

Compare two text snippets line by line. Split or unified view, optional ignore whitespace and ignore case.

Try it now

Frequently Asked Questions

Paste the encoded JWT (the long eyJ… string) into the input box. The tool splits it on the two dots, Base64URL-decodes the header and payload, and shows the JSON for each plus the raw signature segment — all without making any network request.

usage

No. The decoder only parses the token — it does not check the signature against a secret or public key, because verification requires the issuer's key material. Use a server-side JWT library for production verification; this tool is for inspection and debugging.

technical

You get the header (algorithm and key id), the payload claims (sub, iss, aud, iat, exp and any custom claims) and the raw signature. Standard timestamp claims are formatted as human-readable dates so you can spot stale tokens at a glance.

features

If the payload contains the standard "exp" claim, the tool compares it to the current time and shows either "Valid until" or "Token expired at" with the exact timestamp. Tokens without an exp claim are reported as having no expiry.

features

Anyone who reads the payload of a JWT can use it until it expires, so production tokens belong in private tools. This decoder runs entirely in your browser and never transmits the token, but the safer rule is to decode short-lived development tokens whenever possible.

privacy

A JWT has three Base64URL-encoded segments separated by dots: header (signing algorithm), payload (the claims the issuer wants the verifier to trust) and signature (a MAC or digital signature over header.payload). Decoding never needs a key — only verification does.

technical

How JWT Decoder helps you get it done

Real problems it solves every day — for businesses, creators, and everyday tasks. Find the use case that fits you and start in seconds.

For Developers

Debug OAuth & OpenID Connect Flows

Decode access tokens and ID tokens returned by Auth0, Okta, Cognito and Azure AD to verify scopes, audiences and issuers during local OAuth integration work

For Developers

Inspect Authorization Headers in API Calls

Paste the bearer token from a failing API request to confirm whether the wrong tenant, role or expiry is to blame before opening a ticket with the backend team

For Developers

Check Token Expiry During Development

Spot expired tokens that are silently breaking your staging environment by reading the exp claim — no need to copy the token into a terminal or write a quick script

For Business

Audit Permissions Encoded in Token Claims

Verify custom claims such as roles, tenants and feature flags so admins can confirm a customer's token grants exactly the access intended by the licence team

For Business

Validate Single Sign-On Integrations

Inspect SAML and OIDC tokens produced by enterprise SSO integrations to confirm group memberships and attribute mappings before rolling out to all employees

Education

Teach Token-Based Authentication

Use the decoded header, payload and signature panes to explain how JWTs are structured to bootcamp students, junior engineers and security workshop attendees

Try JWT Decoder now — it's free

Image Tools

PDF Tools

Other Tools

JWT Decoder - Decode JSON Web Tokens & Check Expiry Online

Done with JWT Decoder? Try these next

Base64 Encoder / Decoder

Hash Generator

JSON Prettify

URL Encoder / Decoder

Password Generator

Diff Checker

Frequently Asked Questions

How JWT Decoder helps you get it done

Debug OAuth & OpenID Connect Flows

Inspect Authorization Headers in API Calls

Check Token Expiry During Development

Audit Permissions Encoded in Token Claims

Validate Single Sign-On Integrations

Teach Token-Based Authentication