JWT Decoder & Inspector

Decode JWT header, payload, and inspect expiry — all in your browser

Your input never leaves your browser — all processing happens client-side.

Advertisement

Advertisement

Free Online JWT Decoder & Inspector

JSON Web Tokens (JWTs) are widely used for authentication and authorization in modern web applications. This tool decodes the Base64URL-encoded header and payload of any JWT, shows you the claims in formatted JSON, and tells you whether the token is expired — all without sending your token to any server.

What is JWT Decoder & Inspector?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded sections: the Header (algorithm and type), the Payload (claims like user ID, roles, expiry), and the Signature (cryptographic proof of integrity). The token is typically passed in HTTP Authorization headers as 'Bearer <token>' and is decoded and verified by the receiving server.

How to Use This Tool

  1. 1Paste your JWT token into the input field.
  2. 2The tool automatically splits it at the dots and decodes each section.
  3. 3Review the Header for the signing algorithm (e.g., HS256, RS256).
  4. 4Review the Payload for claims like sub (subject), exp (expiry), iat (issued at).
  5. 5Check the expiry status — the tool highlights if the token is expired.

Use Cases

  • Debugging authentication issues — inspect the claims your server is receiving.
  • Verifying token expiry without implementing a full decode in code.
  • Security auditing — check what data is encoded in tokens (remember: JWTs are encoded, not encrypted by default).
  • Learning and education — understand the structure of JWTs.
  • CTF challenges involving JWT manipulation or analysis.

Is It Safe to Use?

This tool runs entirely client-side. Your JWT is never sent to any server. The decoding uses standard Base64URL decoding which is built into every browser. That said, avoid pasting real production tokens as a general security hygiene practice — use test tokens or expired ones for inspection.

Related Tools

Base64 Encoder

Encode/decode Base64 strings

Hash Generator

Generate cryptographic hashes

URL Encoder

Encode/decode URLs

Frequently Asked Questions

Can this tool validate JWT signatures?

No. Signature validation requires the secret key or public key used to sign the token. This tool only decodes the base64url-encoded header and payload — it cannot verify the signature without the key. Only your server should perform signature validation.

Is it safe to paste a real JWT here?

Since this tool is fully client-side, your JWT is processed only in your browser. However, as a best practice, avoid pasting production JWTs — especially bearer tokens — into any third-party tool. Use test or expired tokens for inspection.

What are the three parts of a JWT?

A JWT consists of three Base64URL-encoded parts separated by dots: (1) Header — the algorithm and token type, (2) Payload — the claims (data), and (3) Signature — a cryptographic signature to verify the token wasn't tampered with.

What does 'exp' mean in the payload?

The 'exp' (expiration time) claim is a Unix timestamp after which the token should no longer be accepted. This tool automatically decodes it to a human-readable date and highlights whether the token is expired.

Advertisement