JWT Decoder Online — Decode JSON Web Token
Decode JWT tokens online. View header, payload, claims, and expiry. 100% client-side — your token stays private.
How to Use JWT Decoder
- 1
Paste your JWT token into the input area.
- 2
Header, payload, and signature are automatically decoded.
- 3
Check expiry, issuer, and custom claims at a glance.
About JWT Decoder
Decode JSON Web Tokens instantly with our free online JWT decoder. JWTs are the standard for modern API authentication, but their opaque format makes debugging tricky. Paste any JWT and immediately see the decoded header, payload, and signature. Expiry timestamps are converted to human-readable dates. Tokens are never transmitted or logged. Decoding happens entirely in your browser via Base64URL decoding.
Built by
Fateh Raiyan IshmumFull-stack dev since 2020. Full-stack web developer since 2020. Builds privacy-first, open-web tools. Specialises in Next.js, TypeScript, and performance-focused design.
Frequently Asked Questions
A JSON Web Token (JWT) is a compact, URL-safe token consisting of three Base64URL-encoded parts separated by dots: header.payload.signature. JWTs are widely used for authentication and API authorization in modern web apps.
Paste the JWT into this tool. Decoding happens entirely in your browser — your token is never sent to any server, never logged, never stored. The page works fully offline once loaded.
No. This tool only decodes the header and payload. Signature verification requires the secret (HS256) or public key (RS256) and should always be done on the server. Never trust an unverified JWT for authorization.
Yes — anyone can decode the header and payload of a JWT without the secret because they're just Base64URL-encoded. This is why you must never store passwords or sensitive data inside a JWT payload.
After decoding, look at the 'exp' claim in the payload. It's a Unix timestamp (seconds since epoch). This tool automatically converts it to a human-readable date and tells you if the token is expired.
header (algorithm & token type) . payload (claims) . signature (HMAC or RSA of the first two parts). The dots separate them. Each part is Base64URL-encoded.
Bearer tokens are a transport mechanism (sent in the Authorization header as 'Bearer <token>'). JWTs are one common format for bearer tokens, but not all bearer tokens are JWTs — some are opaque/random strings.