Is it safe to paste my JWT here?

All decoding happens in your browser — the token is never sent to any server. That said, treat production JWTs as sensitive. Revoke any token you believe has been exposed.

What are the three parts of a JWT?

A JWT consists of: (1) Header — algorithm and token type, (2) Payload — claims and user data, (3) Signature — verifies the token hasn't been altered. Each part is Base64URL-encoded and separated by dots.

What does the 'exp' claim mean?

'exp' is the expiration time claim — a Unix timestamp (seconds since January 1, 1970) after which the token must not be accepted. The tool converts this to a human-readable date for you.

Can I use this to decode tokens from any provider?

Yes. Any standard JWT — regardless of whether it was issued by Auth0, Firebase, AWS Cognito, or your own server — can be decoded here.

JWT Decoder

Decode and inspect JSON Web Tokens — view header, payload, and signature locally.

Developer

Share this tool

f 𝕏 L

JWT Token

All decoding happens locally in your browser — your token never leaves this page.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Issued at (iat): Jan 18, 2018, 1:30:22 AM (3069 days ago)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Cannot verify signature without the secret key.

How to Use

1
Paste your JWT string (the long dot-separated token) into the input field.
2
The tool splits the token into Header, Payload, and Signature sections.
3
View decoded claims including 'iss', 'sub', 'exp', and any custom fields.
4
Check the expiry time to see if the token is still valid.

Use Cases

Debugging Authentication Issues

Decode tokens returned by your auth provider to verify claims, roles, and expiry without writing any code.

Inspecting OAuth 2.0 Access Tokens

View the scopes and user information embedded in OAuth access tokens issued by Google, Facebook, or your own server.

API Security Audits

During a security review, decode tokens to confirm they don't contain sensitive data that shouldn't be in the payload.

Learning JWT Structure

Understand how JWTs are structured by decoding real tokens and seeing what each section contains.

Frequently Asked Questions

JWT Decoder lets you instantly decode and inspect JSON Web Tokens — view the header, payload, and expiry claims without any library or backend, all processed client-side.

Decoding only — the tool reads and displays the Header and Payload without verifying the cryptographic signature. To verify a signature, you need the secret key or public key used to sign the token.

Explore More Tools

📊

JSON to CSV

Convert JSON arrays to CSV format instantly — paste JSON, download CSV.

{ }

JSON Formatter

Format, validate, and minify JSON instantly with adjustable indentation.

🔤

Base64 Encoder

Encode or decode Base64 strings — runs entirely in your browser.

🔗

URL Encoder

Safely encode or decode URL components for query strings and paths.

📋

YAML ↔ JSON

Convert between YAML and JSON formats with validation and formatting.

🔍

Regex Tester

Test regular expressions live against sample text with match highlighting and capture groups.

See all Developer tools →