JWT Decoder Online: Read Any JWT Token in Seconds

What is a JWT Token?

A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and information exchange. You'll see them in Authorization: Bearer ... headers, cookies, and URL parameters.

Every JWT has three parts separated by dots (.):

header.payload.signature

• Header — algorithm and token type
• Payload — the actual claims (user ID, expiry, roles)
• Signature — cryptographic proof the token hasn't been tampered with

How to Decode a JWT Token

The header and payload are just Base64URL-encoded JSON — you can decode them without the secret key. The signature verification requires the secret.

Using our online JWT decoder:

1. Paste your JWT token into the input field
2. The tool instantly splits and decodes the header and payload
3. Check the exp claim to see when it expires
4. Check iat for when it was issued, sub for the subject

Common JWT Claims

Is It Safe to Decode JWTs Online?

Our JWT decoder runs entirely in your browser using JavaScript. No data is sent to any server. The token never leaves your device.

That said: never decode JWTs that contain sensitive production secrets in a tool you don't trust. For sensitive work, use our tool (client-side only) or decode locally with:

echo "eyJhbGciOi..." | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool

JWT Debugging Tips

• Token expired? Check exp — it's a Unix timestamp. Convert to human-readable with our Timestamp Converter.
• Algorithm mismatch? Check the alg field in the header. RS256 uses RSA keys, HS256 uses a shared secret.
• Missing claims? Your backend may expect specific claims that aren't present.

Try the Tool

→ Open the free JWT Decoder — no signup, no limits, works offline.