JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, and check expiration status.

JWT Token
Paste your JWT token to decode
About JWT Tokens

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. A JWT consists of three parts:

  • Header - Contains the algorithm and token type
  • Payload - Contains the claims (data)
  • Signature - Verifies the token hasn't been tampered with
The Complete Guide

About the JWT Decoder

JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps. Auth0, Okta, Firebase Auth, AWS Cognito, Supabase, and most OAuth 2.0 providers issue JWTs as their access tokens. When your React app makes an authenticated API call, there's almost certainly a JWT in the Authorization header.

But JWTs look like gibberish — three dot-separated Base64URL strings. To debug an authentication issue, verify a claim, or check when a token expires, you need to decode it. Our JWT Decoder splits your token, decodes each part, and shows the header, payload, and signature side-by-side with syntax highlighting.

Everything happens in your browser. Your token is never sent to any server, so you can safely paste production tokens without worrying about them appearing in access logs. We highlight standard claims (iss, sub, aud, exp, iat) and show a human-readable expiration time so you can spot expired tokens instantly.

How to use JWT Decoder

1

Paste your JWT

Copy the token from your browser DevTools (Application → Cookies or Local Storage), a curl -v output, or an authorization header. Paste it into the input.

2

See the decoded parts

The decoder splits the token by dots and Base64URL-decodes each part. Header (algorithm and type) and payload (claims) appear as pretty-printed JSON. The signature remains as Base64 — you cannot decode it without the signing key.

3

Inspect the claims

Standard fields are highlighted: `iss` (issuer), `sub` (subject/user ID), `aud` (audience), `exp` (expiration), `iat` (issued at), `nbf` (not before), `jti` (JWT ID). Custom fields appear below.

4

Check expiration

The tool converts `exp` and `iat` from Unix timestamps to human-readable dates and warns you if the token is expired or issued in the future (clock skew).

5

Copy individual parts

Use the copy buttons to grab just the header, payload, or signature — handy when writing test cases or documenting an API.

Common Use Cases

Debug 401 authentication errors

Paste the token your app is sending. Check `iss`, `aud`, and `exp` to see why the server is rejecting it.

Verify token expiration

When a user is suddenly logged out, decode their token to check if `exp` is in the past. Refresh token logic may be broken.

Inspect Firebase, Auth0, Cognito tokens

Every managed auth provider uses JWTs. Decode to see the exact user ID, email, and custom claims they include.

Understand OAuth flows

When debugging OAuth 2.0 with OpenID Connect, the ID token is a JWT. Decode it to see the userinfo claims.

Reverse-engineer partner APIs

When integrating with a third-party API that uses JWTs, decode a sample token to understand the exact claim structure they expect.

Educational use

JWTs are on every intermediate frontend interview. Decoding a real one is the fastest way to teach someone how they work.

Frequently Asked Questions

No. The decoder shows the payload without verifying the HMAC or RSA signature — you would need the signing secret or public key for that. Never trust a decoded JWT payload without verifying the signature on your server first.

Related searches:

jwt decoder
jwt debugger
decode jwt
jwt io
json web token
jwt parser
jwt inspector
jwt payload
auth0 jwt
firebase jwt