🔐 JWT Decoder
Paste any JSON Web Token to instantly view the header, payload, and all claims. Check expiry status, decode timestamps, and inspect roles and scopes — 100% in your browser, nothing sent to any server.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. This tool runs entirely in your browser — your JWT is decoded using JavaScript's atob() function locally. Nothing is sent to any server. Avoid pasting production tokens on shared computers.
What are the three parts of a JWT?
A JWT has three Base64URL-encoded parts separated by dots: Header (algorithm + type), Payload (claims — data like user ID, roles, expiry), and Signature (integrity verification, requires secret key). Only the first two are decoded here.
What do exp, iat, sub, iss mean?
exp — expiration time (Unix timestamp). iat — issued at. sub — subject (usually user ID). iss — issuer. aud — audience. nbf — not before. These are standard claims from RFC 7519.
Can this verify JWT signatures?
No. Signature verification requires the secret or public key. Never paste your keys into a web tool. Use a server-side library like jsonwebtoken (Node.js), PyJWT (Python), or golang-jwt (Go) to verify signatures.
Free Online JWT Decoder — Inspect JSON Web Token Claims
JSON Web Tokens (JWTs) are the industry standard for stateless authentication. Used in REST APIs, OAuth 2.0, OpenID Connect, and single sign-on systems, they carry signed claims in a compact, URL-safe format. This decoder lets you inspect any token without running code.
Why Decode a JWT?
Common use cases include debugging auth issues, inspecting tokens from identity providers (Auth0, Okta, AWS Cognito, Firebase), checking expiry, reading custom claims in middleware, and understanding OAuth scopes returned by third-party services.
JWT vs Session Tokens
Unlike opaque session tokens, JWTs are self-contained — the server doesn't need a database lookup to validate them. The payload contains all necessary information. This makes them ideal for distributed systems and microservices, but means revocation requires extra infrastructure like a token blacklist.