How to Decode a JWT Token Online
Paste your complete JWT (JSON Web Token) into the input field. A JWT consists of three parts separated by dots: header.payload.signature. The tool accepts tokens of any length and automatically detects the three segments. You can paste a JWT from an API response, a browser cookie, an authorization header, or a debugging log.
The decoded header section appears immediately, showing the token's algorithm (alg) and token type (typ). Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA-P256). The header tells you how the token was signed and what key type is needed to verify the signature.
The decoded payload section displays all claims in the token. Standard claims include sub (subject — who the token identifies), iss (issuer — who created the token), aud (audience — who the token is intended for), exp (expiration time), iat (issued at), and nbf (not before). Custom claims added by your application are also displayed.
The expiration status indicator shows whether the token is currently valid, expired, or not yet active based on the exp and nbf claims. The tool compares these timestamps against your local system clock and displays the time remaining until expiration or how long ago the token expired. This helps you quickly diagnose authentication failures caused by expired tokens.
Why Use This JWT Decoder?
- 100% client-side processing — your JWT never leaves your browser, making it safe to decode tokens containing sensitive claims
- No server, no API, no logging — the token is decoded using JavaScript's native atob() function and JSON.parse()
- Instant decode — paste a token and see the header, payload, and claims immediately with no button click required
- Expiration check — automatic detection of exp, nbf, and iat claims with a clear valid/expired/not-yet-active status indicator
- Readable JSON output — claims are displayed as formatted, syntax-highlighted JSON for easy inspection
- Privacy-first — unlike many online JWT decoders, this tool never transmits your token to any external service
- Works with any JWT — supports HS256, RS256, ES256, PS256, EdDSA, and all other standard algorithms
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between parties. It consists of three Base64url-encoded parts separated by dots: a header (specifying the algorithm and token type), a payload (containing claims like user ID, roles, and expiration time), and a signature (used to verify the token hasn't been tampered with). JWTs are widely used for authentication (login sessions), authorization (API access), and information exchange in web applications and microservices.
Can a JWT be decoded without the secret key?
Yes — the header and payload of a JWT are only Base64url-encoded, not encrypted. Anyone who has the token can decode and read these sections without any key. The secret key is only needed to verify the signature, which confirms the token hasn't been modified. This is an important security consideration: never put sensitive information (passwords, credit card numbers) directly in JWT claims, because anyone who intercepts the token can read them. If you need encrypted tokens, use JWE (JSON Web Encryption) instead of JWS (JSON Web Signature).
Is it safe to paste my JWT into an online tool?
It depends on the tool. Many online JWT decoders send your token to their server for processing, which means your token — and all the claims it contains (user ID, roles, permissions, session data) — is transmitted across the internet and potentially logged. This tool decodes JWTs entirely in your browser using JavaScript. No network request is made. You can verify this by opening your browser's DevTools Network tab while pasting a token — no outbound requests will appear. For maximum safety, always use client-side tools for decoding tokens that contain real credentials.
What is the exp claim in a JWT?
The exp (expiration time) claim is a standard JWT claim defined in RFC 7519 section 4.1.4. It contains a NumericDate value — a Unix timestamp (seconds since January 1, 1970 UTC) — representing the time after which the token must not be accepted. For example, an exp value of 1700000000 means the token expires on November 14, 2023 at 22:13:20 UTC. Applications should always check the exp claim before trusting a JWT. Short expiration times (minutes to hours) limit the damage window if a token is compromised.
What is the difference between JWS and JWE?
JWS (JSON Web Signature, RFC 7515) and JWE (JSON Web Encryption, RFC 7516) are two distinct token formats. A JWS token is signed but not encrypted — the payload is readable by anyone, and the signature proves it hasn't been tampered with. This is the format most people mean when they say 'JWT'. A JWE token is encrypted — the payload is unreadable without the decryption key, providing confidentiality in addition to integrity. Use JWS when you need to verify the sender and detect tampering. Use JWE when the token's content must be kept secret from intermediaries.
By UtilDaily · Updated \u2014 free, privacy-first browser tools. No sign-up, no data collection.