How to Decode a JWT Token
Online Free
Inspect JWT header, payload, and expiration claims instantly — entirely in your browser with no server logging and no signup.
Try the JWT DecoderWhat is a JWT and why do you need to decode it?
JWTs appear in authorization headers, cookies, and API responses as long strings of random-looking characters (e.g. eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyJ9.abc123). They encode useful information — user ID, roles, expiry time, email — that you often need to inspect when debugging authentication issues.
Decoding a JWT reveals the exact claims inside without needing the secret key. This is essential for debugging: finding why a token is rejected (expired? wrong audience?), confirming what user data is included, or understanding what permissions are encoded in the token.
Step-by-step: decode a JWT token
Open the JWT Decoder
Visit the free JWT Decoder tool. It runs entirely in your browser using JavaScript — your token is never sent to any server.
Paste your JWT
Copy your JWT token (it looks like xxxxx.yyyyy.zzzzz — three base64url-encoded segments separated by dots) and paste it into the input field.
Inspect the decoded output
The tool instantly displays the Header (algorithm, token type) and Payload (claims like sub, iat, exp, email, roles) as formatted JSON.
Check expiration and claims
The exp claim is shown as a human-readable date. See exactly when the token expires and whether it's currently valid. All standard claims are labeled and explained.
JWT security tips
JWTs are not encrypted — just encoded
The payload is base64url-encoded, not encrypted. Anyone with the token can decode and read the claims. Never put sensitive information (passwords, credit cards) in JWT payloads.
Check the exp claim before debugging auth issues
Most JWT authentication failures are caused by expired tokens. Check the exp claim first — it shows the exact expiry timestamp in human-readable format.
The signature is not verified client-side
Decoding shows the claims but cannot verify the signature without the secret key. Decoding is for inspection — verification must happen server-side.
Use alg: none as a red flag
If you see `"alg": "none"` in the header, this is a security warning. Some poorly implemented JWT libraries accept tokens with no signature — a common vulnerability.
Your tokens are never sent to any server
JWT decoding is pure base64url decoding — a simple JavaScript operation that runs entirely in your browser. Your tokens (which may contain user IDs, emails, and auth scopes) never leave your device.
Frequently asked questions
What is a JWT?
JWT (JSON Web Token) is a compact, URL-safe way to represent claims between two parties. It consists of three parts: a Header (algorithm and token type), a Payload (claims — data about the user or session), and a Signature (used to verify the token wasn't tampered with).
Is it safe to decode JWTs in an online tool?
With our tool, yes — because decoding happens entirely in your browser using JavaScript. Your token is never sent to any server or logged anywhere. For extra caution, avoid pasting production tokens with long-lived admin access.
What's the difference between decoding and verifying a JWT?
Decoding reads the header and payload without checking the signature — anyone can do this. Verification checks that the signature is valid using the secret key, confirming the token is authentic and unmodified. Verification must happen server-side.
What does the exp claim mean?
The exp (expiration time) claim is a Unix timestamp (seconds since Jan 1, 1970) indicating when the token expires. Our decoder converts this to a human-readable date and tells you whether the token is currently valid or expired.
Can I use this to decode refresh tokens?
Refresh tokens are often opaque (random strings, not JWTs) or signed JWTs. If your refresh token is a JWT (three dot-separated parts), you can decode it here. Opaque refresh tokens cannot be decoded as they're just references to server-side sessions.