JWT Decoder - Decode & Inspect JSON Web Tokens
Decode and inspect headers, payloads, and signatures of JSON Web Tokens locally.
🔍 Token Anatomy
{
"alg": "RS256",
"typ": "JWT",
"kid": "abc123"
}{
"sub": "user_123456",
"name": "Jane Doe",
"email": "jane@example.com",
"roles": [
"admin",
"user"
],
"iss": "https://auth.example.com",
"aud": "https://api.example.com",
"iat": 1719300000,
"nbf": 1719300000,
"exp": 9999999999
}💡 Token Claims Breakdown
About JWT Decoder
Looking for a free JWT decoder online? This tool decodes and inspects JSON Web Tokens instantly — displaying the header, payload, and signature with syntax highlighting, expiry time checks, and human-readable claim explanations. Your token never leaves your browser. No login, no server calls, 100% private.
JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and information exchange. This decoder lets you inspect any JWT token without needing a backend — decode the header and payload, verify expiry, and understand every claim.
All decoding happens locally in your browser using the Web Crypto API. Your token is never transmitted to any server, making this safe to use with real tokens during development and debugging.
How to Decode a JWT Online
- Paste your JWT token (starts with eyJ…) into the input field
- The tool instantly decodes the header and payload
- Check the expiry status and time remaining
- Read claim explanations for all standard IANA JWT claims
- Copy the JSON header or payload with one click
JWT Structure
- Header (red): Contains token type (JWT) and signing algorithm (HS256, RS256, ES256, etc.)
- Payload (blue): Contains claims — registered (iss, sub, exp, iat) and custom claims
- Signature (green): Verifies the token hasn't been tampered with (requires secret/public key)
Standard JWT Claims Decoded
iss— Issuer: who created the tokensub— Subject: who the token represents (usually user ID)aud— Audience: intended recipient of the tokenexp— Expiration: Unix timestamp when the token expiresiat— Issued At: Unix timestamp when the token was creatednbf— Not Before: token is not valid before this timestampjti— JWT ID: unique identifier to prevent replay attacks
Use Cases
- Debugging authentication flows in web apps
- Checking if a JWT token is expired
- Inspecting claims returned by OAuth2/OIDC providers
- Understanding the structure of tokens from Auth0, Firebase, AWS Cognito
- Learning JWT internals for security auditing