JWT Decoder Online
Paste a JWT token to instantly decode its header, payload, and signature. 100% client-side — your token never leaves the browser.
| Claim | Name | Value |
|---|
The signature is used to verify the token has not been tampered with. Verification requires the secret key or public key — this tool decodes only.
What Is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe method for representing claims between two parties. Defined in RFC 7519, JWTs are widely used for authentication and authorization in web APIs, single-page applications, and microservices.
A JWT consists of three Base64URL-encoded parts separated by dots (.):
- Header — algorithm (
alg) and token type (typ) - Payload — claims (user data, expiry, issuer, etc.)
- Signature — cryptographic proof the token has not been altered
How to Decode a JWT Token Online
Decoding a JWT is straightforward because the header and payload are only Base64URL-encoded, not encrypted. To decode a JWT online:
- Copy the full JWT string (starts with
eyJ…) - Paste it into the input box above
- The header and payload decode instantly — no button press needed
- Review expiry time, issuer, subject and other claims in the table
This JWT decoder runs entirely in your browser. The token is never sent to any server.
Standard JWT Claims Explained
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Identifies the principal that issued the token |
| sub | Subject | Identifies the subject of the token (usually a user ID) |
| aud | Audience | Identifies the recipients the token is intended for |
| exp | Expiration | Unix timestamp after which the token is invalid |
| nbf | Not Before | Unix timestamp before which the token must not be accepted |
| iat | Issued At | Unix timestamp when the token was issued |
| jti | JWT ID | Unique identifier for this specific token |
Security Note
Do not paste JWTs that grant access to production systems or sensitive data into any online tool — including this one. While this tool is 100% client-side and your token never leaves your browser, it is still good practice to treat bearer tokens as secrets. Use this tool for debugging purposes with test tokens only.
Frequently Asked Questions
Is it safe to decode JWT tokens online? ›
This tool is safe for debugging because it runs entirely in your browser — no data is sent to a server. However, as a general security practice, avoid pasting real production JWTs (especially those for banking, healthcare, or admin access) into any website. Use test or expired tokens when debugging.
Can this tool verify the JWT signature? ›
No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms). Since this tool runs client-side without any key, it can only decode and display the contents. To verify signatures, use your backend SDK (e.g., jsonwebtoken for Node.js).
What algorithms do JWTs support? ›
Common JWT signing algorithms include: HS256, HS384, HS512 (HMAC-SHA), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSASSA-PSS). The algorithm is specified in the token's header under the alg claim. none (no signature) should never be accepted in production.
Why does my JWT say "Expired"? ›
JWTs contain an exp (expiration) claim which is a Unix timestamp. If the current time is past that timestamp, the token is expired. Expired tokens should be rejected by your server. You need to re-authenticate to get a fresh token. Common token lifetimes are 15 minutes to 24 hours for access tokens.
What is the difference between JWT and session cookies? ›
Session cookies store a session ID server-side, requiring a database lookup per request. JWTs are self-contained — all claims are in the token itself, making them stateless and ideal for distributed systems and microservices. The trade-off is that JWTs cannot be revoked before expiry without additional infrastructure (e.g., a token blocklist).
How do I decode a JWT in JavaScript? ›
You can decode a JWT payload in pure JavaScript without any library:
function decodeJWT(token) {
const [header, payload] = token.split('.');
const decode = (str) => JSON.parse(
atob(str.replace(/-/g, '+').replace(/_/g, '/'))
);
return { header: decode(header), payload: decode(payload) };
}