Zero Snippet

JWT decoder online — read header, payload, and expiry (no signature check)

Use this free JWT decoder online to Base64URL-decode JSON Web Tokens in the common JWS compact shape (three dot-separated parts). Inspect alg, typ, and kid in the header, then browse claims such as sub, aud, iss, and scope in the payload. The page highlights exp, nbf, and iat so you can sanity-check token lifetime during OAuth 2.0 and OpenID Connect debugging. Everything runs client-side in your browser—no upload—so staging tokens stay off shared backends. Pair it with our JSON formatter & validator after you copy decoded claims, and use the Unix timestamp converter when you compare epoch values from logs and gateways.

Security note: this tool does not verify signatures. Anyone can forge an unsigned-looking payload; only your server (with keys) should trust tokens for auth.

By exp, token expires at 2033-05-18T03:33:20.000Z (UTC). Compare with your API’s actual validation rules.

alg (header)
HS256
typ (header)
JWT
iat
2018-01-18T01:30:22.000Z
exp
2033-05-18T03:33:20.000Z

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022,
  "exp": 2000000000
}

Why decode JWTs during development?

A JSON Web Token packages claims that APIs and browsers exchange after login. When a request fails with 401 or 403, teams often need a fast JWT payload decoder to confirm scopes, tenant IDs, and expiry without spelunking through proprietary dashboards. This utility answers: “What did the issuer put in the token?”—not “Should my API trust it?” Trust requires cryptographic verification with the right keys, which belongs in your authorization server middleware, API gateway, or backend framework.

Because decoding is only Base64URL + JSON, it is safe for structure inspection but trivial to forge if verification is skipped. Treat this page like a multimeter: great for signal tracing, not a substitute for production authZ checks. When you normalize other wire formats, open the Base64 encoder & decoder for raw segments or the URL encoder & decoder when tokens travel in query strings.

How to use this JWT decoder (step by step)

  1. Paste the full token into the textarea—usually an access token or ID token from Authorization: Bearer headers. The field accepts a leading Bearer prefix; whitespace is trimmed automatically.
  2. Read the decoded header JSON for alg, typ, and optional kid (key id). Then review the payload for audience, subject, roles, and custom claims your product relies on.
  3. Check the coloured status line for exp and nbf relative to your system clock. Refresh tokens, skew-tolerant servers, or cached sessions may still behave differently—this is a developer hint, not an authorization decision.
  4. Use Copy on each panel to move JSON into VS Code, Postman, or tickets. For large claim sets, continue editing with the JSON formatter or diff changes with the code diff checker.

JWT decoder keywords teams search for

Engineers often look for an online JWT parser, JWT inspector, or decode JWT Base64URL when tracing mobile apps, SPAs, and microservices. Related searches include OIDC ID token decode, OAuth access token claims, and JWT exp checker. This page documents those workflows explicitly and keeps processing local so regulated teams can avoid SaaS uploads for routine inspection.

Header claims: alg, typ, kid, and why they matter

The header tells verifiers which algorithm and key material to use. Libraries must reject unexpected alg values (especially none) to prevent algorithm confusion attacks. The optional kid points to a JWK in your issuer’s JWKS document so rotating keys does not break every client at once. Seeing these fields clearly helps when you compare tokens from staging vs production issuers or debug multi-tenant setups. For hashing and fingerprint ideas outside JWT, see the hash generator.

Payload claims: registered, public, and private names

JWT payloads combine registered claim names (like iss, sub, aud) with vendor-specific fields. Public names should be documented in registries; private names are agreements between your frontend and API. Decoding reveals structure but not truth—always reconcile claims with your identity provider and server-side policy. If you export claim snapshots to YAML configs, round-trip through YAML to JSON to validate shape before deployment.

Limitations: no JWE, no signature or encryption verification

Encrypted JWTs (JWE) use five segments and require decryption keys—this tool does not decrypt ciphertext. It also ignores the signature segment entirely, so tampered tokens still decode. For production, use maintained libraries, validate issuer and audience, enforce clock skew, and fetch keys over TLS from a trusted JWKS endpoint. When you test cron-based token rotation jobs, schedule math belongs in the cron expression explainer rather than JWT math alone.

Related developer tools

Explore the full code and developer tools catalog. Highlights:

  • JSON Formatter & ValidatorFormat, validate, minify, and explore JSON in a collapsible tree—fix payloads before they hit production.
  • JSON to CSV ConverterTurn JSON arrays into downloadable CSV with automatic column detection for spreadsheets and BI tools.
  • JSON to YAML ConverterConvert JSON to readable YAML for configs and Kubernetes—copy or download the result.
  • CSV to JSON ConverterPaste or upload CSV and get structured JSON with header-aware typing for APIs and apps.
  • YAML to JSON ConverterParse YAML to valid JSON with clear errors—ideal for CI configs and cloud templates.
  • XML Formatter & ValidatorBeautify and validate XML with structure insight and actionable parse errors.
  • Regex Tester & DebuggerTest patterns live with highlights, capture groups, and flags—debug regex without leaving the browser.
  • SQL FormatterPretty-print SQL with indentation and keyword casing for readable queries and code review.
  • HTML Formatter & MinifierBeautify or minify HTML and compare raw markup with a quick rendered preview.
  • CSS Formatter & MinifierFormat messy stylesheets or minify CSS for faster loads—keep design tokens consistent.
  • JavaScript Formatter & MinifierPretty-print or minify JavaScript for debugging locally and shipping smaller bundles.
  • HTML to Markdown ConverterConvert HTML snippets to Markdown for docs, CMS migrations, and README cleanup.
  • Markdown to HTML ConverterTurn Markdown into HTML with a live preview—handy for emails, blogs, and static pages.
  • Code Diff CheckerCompare two code blocks side by side with clear add/remove highlighting for reviews.

Frequently asked questions

What does this JWT decoder do?
It splits a JSON Web Token (JWS compact form) into header and payload, Base64URL-decodes those segments, and pretty-prints the JSON. It can read standard time claims (exp, nbf, iat) and show whether a token appears expired relative to your browser clock. It does not verify signatures or trust the issuer—you should never treat decoded content alone as proof of authenticity.
Does this tool verify the JWT signature?
No. Signature verification needs the correct secret or public key and usually runs on your server or in a trusted library. This page is for debugging and inspection only: reading alg, kid, sub, scopes, and expiry during development. For production auth, validate tokens with your framework (e.g. jose, jsonwebtoken, Auth0, Cognito) and reject invalid signatures before trusting claims.
Is my token sent to your servers?
No. Parsing and decoding run entirely in your browser with JavaScript. The token never leaves your device unless you copy it elsewhere or use another tool that performs network requests.
Why does my token show as expired when the app still works?
Clock skew, refresh tokens, or server-side session logic may keep you signed in after an access token’s exp. Some APIs issue short-lived access tokens and rotate them silently. Also confirm you decoded the same token the API receives—query params and cookies sometimes differ from what you paste here.
What is the difference between JWT, JWS, and JWE?
JWT is the umbrella term. JWS is a signed token (typically three Base64URL segments: header, payload, signature). JWE is encrypted and has more segments. This decoder targets common three-part JWS tokens used in OAuth 2.0 and OpenID Connect. Encrypted JWE tokens are not supported on this page.
Can I decode refresh tokens or API keys here?
You can paste any string that matches the JWS layout, but you should avoid pasting production secrets into third-party sites. Prefer local tools, redacted samples, or tokens from staging. Pair inspection with our Base64 encoder and JSON formatter when you are debugging encoding issues—not when handling live credentials.
How do exp, nbf, and iat work?
exp (expiration time), nbf (not before), and iat (issued at) are NumericDate values: seconds since Unix epoch unless your library maps them differently. This tool interprets them as UTC and compares exp and nbf to the current time for a quick sanity check only.
Which related tools should I use next?
Format decoded JSON with the JSON formatter and validator, convert timestamps with the Unix timestamp converter, debug URL-safe encoding with the Base64 encoder and decoder, and pretty-print SQL or YAML when your token flows through APIs documented in those formats—all linked from the code and developer tools section on the home page.