JWT Decoder Online Free
Decode a JWT into its header, payload, and signature with expiration status and human-readable timestamps.
In your browser—your files never leave your device.
Learn moreAbout this tool
A JSON Web Token (RFC 7519) is three Base64URL-encoded segments joined with dots: header.payload.signature. The first two are JSON objects you can read with any parser. The third is a cryptographic signature that proves the issuer minted the token and nothing was tampered with. This tool decodes the header and payload, shows the signature as opaque text, and — when you paste the shared secret — verifies HS256 signatures locally via the Web Crypto API (HMAC-SHA-256). RS256 and ES256 tokens are decode-only here because verifying them requires the issuer's public key from a JWKS endpoint, which is a server-side concern. Expiration, issued-at, and not-before claims convert from Unix epoch to readable dates so you can see at a glance whether the token is valid right now. A green or red expiration badge tells you the status before you read a single claim.
How to jwt decoder online free
-
Paste the JWT
The full string with the two dots. Example: eyJhbGciOiJIUzI1NiI...signature. The decoder splits on dots and decodes each segment from Base64URL (the URL-safe variant of Base64 that uses - and _ instead of + and /).
-
Read the expiry badge
A green pill means the token is still good; red means it has expired. The badge shows "Expires in 23m" or "Expired 4h ago" — readable, not raw epoch. If the token has no exp claim (some long-lived API keys minted as JWTs do not) the badge does not appear, which is itself information.
-
Inspect header and payload
Header shows alg and typ. Payload shows the claims — issuer (iss), subject (sub), audience (aud), expiration (exp), issued-at (iat), plus whatever custom data your auth system added (user_id, roles, scopes, tenant, plan). The pretty-printing makes nested structures scannable.
-
Cross-check against the issuer
Compare iss to what your IdP says it should be. Compare aud to your API identifier. If either is wrong, your token validation will fail server-side even if the signature is good. The decoder shows you the data; the server-side log usually tells you which check failed.
Features
Three-panel decode with color coding
Header, payload, and signature each render in their own card with color coding (orange for header, green for payload, purple for signature). Easy to spot which part you are reading. The payload is the part you usually care about, since that holds the user identity, the issued-at and expiration timestamps, and any custom claims your auth system added. The header tells you the signing algorithm — HS256, RS256, ES256 — and the token type, which is almost always "JWT" but can be "JWT" with extensions for specific signed JWS variants.
Expiration status badge
A green or red pill at the top tells you "Expires in 23m" or "Expired 4h ago". No more squinting at the exp claim and doing epoch math in your head. Useful for the "is the token even valid" question that opens every JWT debug session. The badge also handles the nbf (not-before) claim if present — a token can be valid in the future, and the badge reflects that case as "Not valid until..." rather than just "Expired."
Pretty-printed JSON inside each segment
The header and payload are decoded from Base64URL, parsed as JSON, and rendered with 2-space indentation so the claims are readable. Standard claim names (iss, sub, aud, exp, iat, nbf, jti) and custom claims appear together. The pretty-printing means a nested permissions object or a claims dictionary is easy to scan rather than a single jumbled line. Each panel has a copy button so you can grab the decoded JSON for use elsewhere.
Local-only decoding — verifiable in DevTools
JWTs are bearer tokens — anyone with the string can impersonate the subject until it expires. Pasting one into a third-party site that POSTs the input to a server is a credential leak. This tool decodes in your browser via atob and JSON.parse with zero network calls. Verify in DevTools — open the Network tab, paste a token, and see no outbound requests. Compare to other "online JWT decoder" sites that POST the token to their servers (some of which have been caught logging tokens for analysis).
Privacy & security
Decoding the three Base64URL segments is a one-line operation in JavaScript, and that is what runs here — atob plus a small string transform for the URL-safe alphabet. If you paste the shared secret for HS256 verification, the HMAC-SHA-256 check runs through the Web Crypto API on your machine; the secret is never serialized anywhere except memory. Real JWTs often carry user IDs, scopes, and sometimes whole user objects in the payload — keeping that all client-side is the whole point.