JWT Decoder
Decode JSON Web Tokens (JWT) and view header, payload, and signature. Check token expiration.
Last updated:
How to Use
Expand how to useCollapse how to use
- 1
Enter a JWT
Paste the JWT string you want to decode into the input field. Or use the Sample button to load a test token.
- 2
View decoded results
Review the JSON contents broken down into header, payload, and signature sections. Timestamps are shown in readable date format.
- 3
Copy what you need
Use the copy button in each section to copy the header or payload JSON to your clipboard.
Security Warning
This tool only decodes JWTs and does not verify signatures. Validate token authenticity separately.
JWT Token
All processing happens in your browser. Tokens are never sent to any server.
About JWT Decoder
JWT Decoder breaks down any JSON Web Token into its three parts — header, payload, and signature — and renders them as formatted, readable JSON. Timestamp claims such as exp, iat, and nbf are automatically converted from Unix epoch values to human-readable date and time, so you can instantly see when a token was issued and when it expires. Security warnings are raised for known risk patterns: tokens using alg=none (no signature) and tokens missing the exp claim. Whether you are debugging an OAuth 2.0 authorization code flow, inspecting ID tokens from Auth0 or Amazon Cognito, verifying the signing algorithm your backend uses, or auditing claims returned by a third-party identity provider, this tool surfaces exactly what is inside the token.
Key Features
- Decode into header, payload, and signature parts
- Pretty-printed JSON display
- Convert timestamp claims (exp, iat, nbf) to readable dates
- Token expiration status check
- Copy each section to clipboard
Common Use Cases
- Inspect access tokens returned by OAuth 2.0 or OIDC flows
- Debug JWT claims during API development with Postman or curl
- Check token expiration (exp) and issued-at (iat) timestamps
- Verify the signing algorithm (alg) in the header
- Examine ID tokens from Auth0, Cognito, or Firebase Auth
Frequently Asked Questions
Can this tool verify JWT signatures?
No, this tool only decodes JWTs and does not verify signatures. Signature verification requires access to the secret key or public key used when the token was signed. Always validate signatures on the server side using a trusted library before trusting any claims in a token.
Is my token sent to a server?
No. JWT decoding is Base64URL decoding followed by JSON parsing — it runs entirely in JavaScript with no network requests. You can safely paste tokens containing user data, session information, or other sensitive claims.
Can I view expired tokens?
Yes, expired tokens can still be decoded and displayed. A clear warning is shown indicating the token has passed its expiration time. This is useful for debugging authentication issues where a token may have expired unexpectedly.
What is the alg=none warning about?
A JWT with alg=none has no cryptographic signature, meaning anyone can create or modify it without detection. This is a well-known security vulnerability (CVE-2015-9235). Production systems should never accept alg=none tokens. The tool flags these tokens prominently so you can identify them immediately.
What is a JWT and how is it structured?
JWT (JSON Web Token) is a compact, URL-safe format for transmitting claims between parties. It consists of three Base64URL-encoded parts joined by dots: the header (algorithm and token type), the payload (claims such as user ID, roles, and expiration), and the signature. JWTs are widely used in authentication, single sign-on (SSO), and microservice communication.
What are the most commonly used JWT claims?
Standard registered claims include exp (expiration time), iat (issued at), nbf (not before), iss (issuer), aud (audience), and sub (subject). This tool automatically converts the exp, iat, and nbf timestamps to human-readable dates. The alg (algorithm) and typ (token type) fields appear in the header section.
What does it mean if a token has no exp claim?
A JWT without an exp claim has no built-in expiration, meaning it is technically valid forever unless explicitly revoked. This can be a security risk in production systems. The tool displays a warning for such tokens so you can investigate whether non-expiring tokens are intentional in your application.