HomeToolsDeveloper Tools › JWT Decoder

JWT Decoder

Paste any JSON Web Token to instantly read its header, payload claims, and expiry timestamps. No signing key needed. Free, nothing stored.

Your token is decoded server-side only for JSON formatting. Nothing is stored or logged.

About the JWT Decoder

JWT Decoder is a free online tool for developers who need to inspect JSON Web Tokens during OAuth flows, API debugging, or session troubleshooting. Paste a JWT — the long dot-separated string you get from an Authorization header or cookie — and the tool instantly splits it into its three parts: a header (algorithm and token type), a payload (claims like user ID, expiry, and roles), and a signature. The header and payload are decoded from Base64url and formatted as readable JSON. Expiry fields (exp, iat, nbf) are converted to human-readable timestamps so you can immediately see whether a token has expired without mentally converting Unix timestamps. The signature segment is displayed as raw Base64url — it cannot be decoded without the signing key, and this tool never asks for one. Your token is decoded server-side purely to pretty-print the JSON, and no token content is stored or logged.

Common use cases

  • Inspect the claims inside an OAuth access token to debug a permissions or role issue.
  • Check the exp claim to confirm whether a JWT has expired or is still valid.
  • Identify the signing algorithm (HS256, RS256, etc.) and key ID (kid) from the header.
  • Verify the iss and aud claims during an OIDC integration to ensure tokens are issued by the expected provider.
  • Quickly read payload claims during API development without writing decode code.

Frequently asked questions

Does JWT Decoder verify the signature?

No. Signature verification requires the signing key, which you should never paste into a third-party tool. This tool only decodes and displays the header and payload — the readable parts of a JWT that require no key.

Is my JWT stored or logged?

No. Your pasted token is used only to split and decode the three segments for display. Nothing is stored, logged, or transmitted beyond the decode operation.

What does exp mean in a JWT payload?

exp is the Unix timestamp (seconds since 1970-01-01 UTC) at which the token expires. This tool converts it to a readable date and time so you can immediately see whether the token is still valid.

What is a JWT?

A JSON Web Token (JWT) is a compact, Base64url-encoded string used to transmit claims between systems. It consists of three dot-separated parts: a header (algorithm and type), a payload (the claims), and a signature (tamper-proofing). JWTs are used in OAuth 2.0, OpenID Connect, and many API authentication systems.

Can I decode a JWT without the signing key?

Yes. The header and payload of a JWT are only Base64url-encoded, not encrypted. You can read them without any key. Only signature verification requires the key.

Also try

Related tools

Live Developer Tools

Base64 Encoder / Decoder

JWT header and payload segments are Base64url-encoded — encode or decode segments manually to cross-check the decoded output.

Open tool
Live Developer Tools

JSON Formatter & Validator

The decoded JWT payload is a JSON object — format it for easy reading and validate it contains exactly the claims your application requires.

Open tool
Live Developer Tools

Unix Timestamp Converter

JWT exp, iat, and nbf claims are Unix epoch integers — paste one here to see the exact UTC expiry time and human-readable date.

Open tool
Live Developer Tools

Regex Tester

Test regex patterns against decoded JWT payload claims — extract subject IDs, scope strings, or email patterns from the decoded JSON.

Open tool