Free tool

JWT Decoder Online

Decode any JWT instantly. Header, payload, claims and expiry verification. No sign-up.

Built by

Miguel Ángel Colorado Marin

Full-Stack Developer · Guadalajara, España

I develop web apps, digital tools and full projects — from design to deployment.

GitHubLinkedIn
Contact me

How to use the JWT decoder?

  1. 1

    Paste your JWT token

    Copy the complete JWT token (including all three parts separated by dots) and paste it in the text area. You can use the «Load sample» button to test with a sample JWT and see how the tool works.

  2. 2

    The token is decoded automatically

    As soon as you enter the JWT, it is split by dots into its three parts: header, payload and signature. The first two are decoded from base64url and parsed as JSON to display with syntax highlighting.

  3. 3

    Check claims and expiration

    If the payload contains the exp (expiration time) claim, the tool automatically shows whether the token has expired with the exact date. It also detects iat (issued at) and other standard claims like sub, iss, aud and jti.

  4. 4

    Copy the parts you need

    Each section (header and payload) has its own copy button that exports the formatted JSON. This is useful for debugging, documentation or extracting specific information from the token.

Frequently asked questions

What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a signed JSON object. It consists of three base64url-encoded parts separated by dots: header (token type and algorithm), payload (data/claims) and signature (integrity verification). It is the de facto standard for authentication in REST APIs.

Why is the signature not verified?

JWT signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) used to sign the token. This information should never be sent to the client. This decoder only analyzes the visible content of the token, which is what you need for debugging and analysis. For signature verification, use the official libraries in your backend.

Is it safe to paste my JWT here?

All processing happens entirely in your browser. No data is sent to any server. However, for security, avoid pasting production JWTs in any online tool if the token contains sensitive information or has high privileges. Use it with test or development tokens.

What are standard claims?

Standard JWT claims (defined in RFC 7519) are: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at) and jti (JWT ID, unique identifier). They are optional but highly recommended for authentication tokens.

Can I decode encrypted JWTs (JWE)?

No, currently only signed JWTs (JWS) are supported for decoding, which are the most common. Encrypted JWTs (JWE) have 5 parts and require the private key to decrypt the payload, so it is not possible to decode them without that key.

Embed the decoder on your site

Embed this JWT decoder in any web page with a simple iframe:

<iframe
  src="https://miguelacm.es/embed/jwt-decoder"
  width="100%"
  height="600"
  frameborder="0"
  title="JWT Decoder"
></iframe>
View embed in new tab →
View source on GitHub