Free Online Tool · 100% Client-Side · Never Sends Your Token
Free JWT Decoder Online — Decode Any JWT Token
Paste any JWT and instantly see the header algorithm, payload claims, issued-at, expiry, and signature. Detects expired tokens automatically. Your token never leaves your browser.
What is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims like user ID, roles, expiry), and the Signature (cryptographic verification). Decoding the header and payload requires no secret key — only signature verification does.
How to Decode a JWT Online
1
Copy Your JWT
Get the JWT from your browser's dev tools, API response, or auth header. It looks like: eyJ…eyJ…sig
2
Paste & Decode
Paste the full JWT string into the input box and click "Decode JWT".
3
Inspect Claims
View the algorithm, sub, iat, exp, roles, and all custom claims. Red badge appears if the token is expired.
FAQ — JWT Decoder
Is it safe to decode my JWT here?
Yes. The decoding happens entirely in your browser — your JWT is never sent to any server. Safe for tokens containing sensitive claims like user IDs, emails, and roles.
Do I need the secret key to decode a JWT?
No. Decoding (reading) the header and payload only requires Base64URL decoding, which needs no secret. The secret key is only needed to verify the signature. Our tool decodes but does not verify.
How do I know if a JWT is expired?
Our decoder checks the "exp" (expiry) claim in the payload and compares it to the current time. A red "EXPIRED" badge appears if the token has expired.
What JWT algorithms are supported?
All JWTs can be decoded regardless of algorithm (HS256, HS512, RS256, RS512, ES256, etc.) since decoding only reads the Base64URL-encoded parts — it does not verify the cryptographic signature.
What are common JWT claims?
"sub" (subject/user ID), "iat" (issued at), "exp" (expiry timestamp), "iss" (issuer), "aud" (audience), "nbf" (not before), "jti" (JWT ID). Custom claims are also common in production JWTs.