JWT Decoder
Decode and inspect JSON Web Tokens (JWT). View header, payload, and check expiration status.
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. A JWT consists of three parts:
- Header - Contains the algorithm and token type
- Payload - Contains the claims (data)
- Signature - Verifies the token hasn't been tampered with
About the JWT Decoder
JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps. Auth0, Okta, Firebase Auth, AWS Cognito, Supabase, and most OAuth 2.0 providers issue JWTs as their access tokens. When your React app makes an authenticated API call, there's almost certainly a JWT in the Authorization header.
But JWTs look like gibberish — three dot-separated Base64URL strings. To debug an authentication issue, verify a claim, or check when a token expires, you need to decode it. Our JWT Decoder splits your token, decodes each part, and shows the header, payload, and signature side-by-side with syntax highlighting.
Everything happens in your browser. Your token is never sent to any server, so you can safely paste production tokens without worrying about them appearing in access logs. We highlight standard claims (iss, sub, aud, exp, iat) and show a human-readable expiration time so you can spot expired tokens instantly.
How to use JWT Decoder
Paste your JWT
Copy the token from your browser DevTools (Application → Cookies or Local Storage), a curl -v output, or an authorization header. Paste it into the input.
See the decoded parts
The decoder splits the token by dots and Base64URL-decodes each part. Header (algorithm and type) and payload (claims) appear as pretty-printed JSON. The signature remains as Base64 — you cannot decode it without the signing key.
Inspect the claims
Standard fields are highlighted: `iss` (issuer), `sub` (subject/user ID), `aud` (audience), `exp` (expiration), `iat` (issued at), `nbf` (not before), `jti` (JWT ID). Custom fields appear below.
Check expiration
The tool converts `exp` and `iat` from Unix timestamps to human-readable dates and warns you if the token is expired or issued in the future (clock skew).
Copy individual parts
Use the copy buttons to grab just the header, payload, or signature — handy when writing test cases or documenting an API.
Common Use Cases
Debug 401 authentication errors
Paste the token your app is sending. Check `iss`, `aud`, and `exp` to see why the server is rejecting it.
Verify token expiration
When a user is suddenly logged out, decode their token to check if `exp` is in the past. Refresh token logic may be broken.
Inspect Firebase, Auth0, Cognito tokens
Every managed auth provider uses JWTs. Decode to see the exact user ID, email, and custom claims they include.
Understand OAuth flows
When debugging OAuth 2.0 with OpenID Connect, the ID token is a JWT. Decode it to see the userinfo claims.
Reverse-engineer partner APIs
When integrating with a third-party API that uses JWTs, decode a sample token to understand the exact claim structure they expect.
Educational use
JWTs are on every intermediate frontend interview. Decoding a real one is the fastest way to teach someone how they work.
Frequently Asked Questions
Related Tools You May Like
Related searches: