JWT Decoder

Decode JWT header and payload data locally so you can inspect claims, timestamps, and token structure during auth debugging. Useful for API testing, session troubleshooting, and understanding what a token actually contains.

Paste JWT Token

Paste a JWT token above to decode it

or click Load sample token to explore

Client-Side Processing

Input Data Stays on Device

Instant Local Execution

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is JWT Decoder?

JSON Web Tokens (JWT) are compact strings used to carry claims like user IDs, roles, issuers, audiences, and expiry timestamps between systems. They consist of header, payload, and signature sections separated by dots. This tool decodes the readable parts so you can inspect what a token actually contains.

That is especially useful during authentication debugging. If a user session fails, an API rejects a request, or a token appears expired, decoding the claims quickly helps you see whether the issue is the payload itself, the timestamp window, or a validation rule elsewhere in the stack.

How to Use JWT Decoder

Paste your JWT token into the input

The header and payload are automatically decoded

View the claims, expiration time, and other metadata

Check if the token is expired

Common Use Cases

Backend developers checking issuer, audience, role, and expiry claims during auth debugging.
Frontend engineers inspecting access tokens returned by a login flow before wiring protected routes.
Support teams verifying whether a copied token is expired before escalating an authentication issue.
Developers learning JWT structure and confirming what is encoded in the payload versus what still needs signature validation.

Example Input and Output

JWT debugging often starts by checking standard claims like issuer, audience, and expiration before digging into signature issues.

JWT payload after decode

{
  "sub": "user_481",
  "role": "admin",
  "iss": "auth.webtoolsplanet.com",
  "aud": "dashboard",
  "iat": 1730961000,
  "exp": 1730964600
}

What to inspect

Inspect:
- issuer matches expected auth service
- audience matches the app consuming the token
- iat and exp are in the expected time window
- role / custom claims match the user session

Security

JWT decoding runs in the browser, but tokens can still contain sensitive internal claims. Avoid sharing copied payloads in tickets or public chat unless you have redacted them.

Important distinction

Decoding is not verification. A token can decode cleanly and still be invalid because the signature, issuer, audience, or expiration checks fail in your application.

Frequently Asked Questions

Is this secure?

Yes, decoding happens entirely in your browser. JWTs are not encrypted - they are only signed. The payload is Base64 encoded and can be decoded by anyone.

Can this verify signatures?

No, this tool only decodes. Signature verification requires the secret key which should never be shared publicly.

What is the difference between decoding and validating a JWT?

Decoding means reading the header and payload. Validation means checking the signature and confirming claims like issuer, audience, and expiration against your application rules.

Why is the payload readable if the token is supposed to be secure?

JWT payloads are usually Base64URL-encoded, not encrypted. The security comes from the signature check, not from hiding the claim values.

Will this show if the token is expired?

Yes. Decoding lets you inspect exp, iat, and related timestamps so you can see whether the token is outside its expected validity window.

Is my token sent to a server when I decode it?

No. Decoding happens locally in the browser, which is safer when the token includes internal identifiers or environment-specific claims.

Should I paste production tokens into debugging tools?

Only when necessary and only in tools you trust. This page decodes locally, but production tokens can still contain sensitive claims, so avoid sharing copied payloads afterward.