What does the 'alg' field in the header mean?

The 'alg' (algorithm) field specifies the cryptographic algorithm used to sign the token. Common values include HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), and ES256 (ECDSA with P-256). The algorithm 'none' means the token is unsigned and should never appear in production.

Can I decode an expired JWT?

Yes. Expiration only affects whether a server should accept the token. The decoder can read any structurally valid JWT regardless of its expiration status. This is especially useful for debugging why an authentication flow is failing.

What is the difference between decoding and decrypting a JWT?

Decoding a JWT means Base64URL-decoding the header and payload, which does not require a key. Decrypting applies to JWE (JSON Web Encryption) tokens where the payload is encrypted. This tool handles standard signed JWTs (JWS), not encrypted JWE tokens.

How do I know if my JWT has been tampered with?

You cannot determine tampering by decoding alone. Tampering is detected through signature verification on your server, which compares the signature against the header and payload using the signing key. If the signature does not match, the token has been altered.

What is the maximum size a JWT can be?

There is no hard limit in the JWT specification, but tokens are typically sent in HTTP headers, which most servers cap at 8 KB. Tokens larger than 4 KB can cause issues with cookies and older proxies. Keep payloads minimal by storing only essential claims.

JWT Decoder - Decode JSON Web Tokens

Decode and inspect JSON Web Tokens online for free. View JWT header, payload, claims, and expiration details instantly. No data sent to servers.

X Facebook LinkedIn Reddit

JWT Token

0 characters1 parts

Decoded

Enter a JWT token above to decode it

How to Decode a JWT Token

1

Paste Your Token

Copy the JWT from your application, API response, or browser developer tools and paste it into the input field. The token typically starts with 'eyJ' and contains two dots separating three Base64URL-encoded segments.
2

View the Decoded Header

The header section reveals the signing algorithm (such as HS256 or RS256) and the token type. This tells you how the token was created and what method is needed to verify its signature.
3

Inspect the Payload Claims

The payload contains the actual data: user identity, roles, permissions, and timing claims like issued-at and expiration. Timestamps are automatically converted to human-readable dates so you can instantly check whether a token has expired.
4

Check the Signature

The signature section displays the raw signature string. While client-side verification is not performed (it requires the secret key), you can confirm the algorithm and copy the signature for server-side validation.

Common Use Cases

Debugging Authentication Flows

When login or API requests fail with 401 or 403 errors, decoding the JWT reveals whether claims like 'exp', 'aud', or 'iss' contain the expected values. This is the fastest way to isolate token-related bugs in OAuth 2.0 and OpenID Connect implementations.

Inspecting API Gateway Tokens

API gateways such as AWS API Gateway, Kong, and Cloudflare Access attach JWTs to requests. Decoding these tokens lets you verify that scopes, roles, and custom claims are propagated correctly before they reach your backend services.

Learning JWT Structure

If you are new to token-based authentication, pasting a sample JWT into the decoder provides an interactive way to understand the three-part structure, registered claim names, and how Base64URL encoding works in practice.

Auditing Token Expiration Policies

Security teams can paste tokens from different environments to compare expiration windows, check that refresh token lifetimes comply with policy, and confirm that sensitive claims are not exposed in access tokens.

Why use our JWT Decoder?

Quickly decode and inspect JSON Web Tokens (JWTs) to understand their contents. View the header algorithm, payload claims, and signature. Timestamps are automatically converted to readable dates. Perfect for debugging authentication issues, understanding API tokens, or learning about JWT structure.

JSON Web Tokens (JWTs) are the standard mechanism for transmitting identity and authorization data in modern web applications. Every time a user logs in through OAuth 2.0, OpenID Connect, or a custom authentication system, the server issues a JWT that the client attaches to subsequent requests. This decoder lets you paste any JWT and instantly view its three parts: the header that specifies the signing algorithm, the payload that carries claims about the user, and the signature that proves the token has not been tampered with. Processing happens entirely in your browser, so your tokens are never transmitted over the network.

Understanding what is inside a JWT is essential for debugging. A single mismatched aud claim or an expired exp timestamp can cause an entire authentication flow to fail silently. Instead of writing throwaway scripts or searching for an online tool that might log your tokens, you can use this JWT Decoder with confidence that your data stays private. Pair it with the JWT Generator to create test tokens, the JWT Security Validator to audit algorithm and claim safety, or the Base64 Encoder to manually inspect individual token segments.

Whether you are a backend developer troubleshooting a microservices authorization chain, a frontend engineer verifying that scopes arrive correctly after login, or a security auditor reviewing token policies across environments, this tool provides the fastest path from a raw token string to actionable insight. Combine it with the JSON Formatter to pretty-print complex payloads or the Unix Timestamp Converter to cross-check date claims against other log entries.

How It Compares

Most online JWT decoders follow the same basic pattern: paste a token, see the header and payload. What sets this tool apart is its strict client-side architecture. Popular alternatives like jwt.io process tokens on the server or load external tracking scripts, which means your token data could be logged or intercepted. This decoder runs entirely in your browser with zero network requests after the page loads, making it safe for production tokens that contain real user data.

Paid API debugging platforms such as Postman, Insomnia, and Paw include built-in JWT viewers, but they require account creation and are overkill when you just need to check a single claim. Command-line tools like jq combined with base64 can decode tokens, but they require manual splitting on the dot separator and do not auto-convert timestamps. This decoder gives you the speed of a CLI with the readability of a GUI, plus automatic date formatting and structure validation at no cost.

Tips for Working with JWTs

Never share a valid JWT publicly. Even though the payload is only Base64URL-encoded (not encrypted), the signature allows the token to be used until it expires.

Check the 'exp' claim first when debugging. Most authentication failures are caused by expired tokens, and this decoder converts the Unix timestamp to a readable date automatically.

Use short expiration times for access tokens (5 to 15 minutes) and longer lifetimes for refresh tokens. Decode both to verify your server is issuing them correctly.

The 'alg' field in the header should never be 'none' in production. If you see this value, the issuing service has a critical security vulnerability.

Copy the decoded payload as JSON and paste it into a JSON formatter for easier reading when the token contains deeply nested custom claims.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: header, payload, and signature, each separated by a dot and encoded in Base64URL format.

Is my token secure when using this tool?

Yes. All decoding happens entirely in your browser using JavaScript. Your token is never sent to any server, stored in a database, or logged in any way. You can verify this by disconnecting from the internet and using the tool offline.

Can this tool verify JWT signatures?

This tool decodes tokens and displays the signature, but it does not perform cryptographic verification. Signature verification requires the secret key (for HMAC) or the public key (for RSA/ECDSA), which should remain on your server.

What do the common JWT claims mean?

Registered claims include 'sub' (subject identifier), 'iat' (issued at timestamp), 'exp' (expiration timestamp), 'nbf' (not before), 'iss' (token issuer), 'aud' (intended audience), and 'jti' (unique token ID). Custom claims can contain any application-specific data.

Why are some timestamps shown as dates?

Standard JWT timestamp claims like 'iat', 'exp', and 'nbf' are stored as Unix epoch seconds. This tool automatically detects these fields and converts them to human-readable dates in your local timezone.

Related Tools

Jwt Generator

Security

Jwt Security Validator

Security

Json Formatter

Developers

Base64 Encoder

Developers

Unix Timestamp

Developers

Json To Typescript

Developers

Hash Comparison Tool

Security

Url Encoder Decoder

Network

x402 Config Generator — Set Up HTTP Payments in Any Framework 9 min read

Free Developer Tools That Replace Paid Software — 60+ Browser-Based Utilities 11 min read

30 Free Online Security Tools — Password, Encryption & Privacy Checks Without Signup 11 min read

x402: The HTTP Payment Protocol That Lets AI Agents Pay for APIs 7 min read

JWT Token

Decoded

How to Decode a JWT Token

Paste Your Token

View the Decoded Header

Inspect the Payload Claims

Check the Signature

Common Use Cases

Debugging Authentication Flows

Inspecting API Gateway Tokens

Learning JWT Structure

Auditing Token Expiration Policies

Why use our JWT Decoder?

How It Compares

Tips for Working with JWTs

Frequently Asked Questions

What is a JWT?

Is my token secure when using this tool?

Can this tool verify JWT signatures?

What do the common JWT claims mean?

Why are some timestamps shown as dates?

Related Tools

Related Guides

Rate This Tool

Get Weekly Tools

Suggest a Tool