JWT Decoder: Decode & Inspect JSON Web Tokens Online
A JWT decoder is a tool that reads a JSON Web Token and displays its three parts — header, payload, and signature — in human-readable form. To use one, paste a token and the decoder shows its contents and claims. The FindUtils JWT Decoder does this in your browser — free, with no signup and no upload.
This guide explains what a JWT is, how to decode one step by step, what each part contains, and the critical security rules for handling tokens safely.
What Is a JWT and Why Decode One?
A JSON Web Token (JWT) is a compact, signed token used to carry identity and authorization data between systems. Decoding one reveals its header, payload, and claims so you can see exactly what it contains.
JWTs look like opaque strings — three blocks of characters separated by dots. They are not encrypted, only encoded, so the contents are fully readable once decoded. Decoding is essential for debugging authentication.
Decode a JWT when:
- You debug a login or auth flow and need to see what a token contains.
- A request is rejected and you suspect the token expired or lacks a claim.
- You inspect token claims — user ID, roles, scopes, issuer.
- You check expiry — the
expclaim tells you when a token becomes invalid. - You are learning how JWTs work and want to see the structure plainly.
How to Decode a JWT Online
Decoding a JWT takes one step: paste the token. The FindUtils JWT Decoder runs entirely in your browser, so the token is never transmitted.
Step 1: Open the JWT Decoder
Go to the FindUtils JWT Decoder. Decoding happens client-side, so the token you paste never leaves your device.
Step 2: Paste the Token
Paste the full JWT — all three dot-separated parts. The decoder splits it into header, payload, and signature automatically.
Step 3: Review the Header
The header shows the token's metadata, mainly the signing algorithm (alg) and token type (typ). The algorithm matters for security verification.
Step 4: Review the Payload and Claims
The payload holds the claims — the actual data. Check standard claims like exp (expiry), iat (issued at), sub (subject), and iss (issuer), plus any custom claims your application added.
Step 5: Check Expiry
Convert the exp timestamp to a readable date to see whether the token is still valid. An expired token is the most common reason a previously working request starts failing.
What's Inside a JWT
A JWT has three parts, separated by dots, each Base64URL-encoded.
| Part | Contents | Purpose |
|---|---|---|
| Header | alg (algorithm), typ (type) | Describes how the token is signed |
| Payload | Claims — exp, iat, sub, iss, custom data | Carries the actual information |
| Signature | Cryptographic signature | Verifies the token was not tampered with |
Common standard claims in the payload:
| Claim | Meaning |
|---|---|
exp | Expiration time — when the token becomes invalid |
iat | Issued at — when the token was created |
sub | Subject — usually the user ID |
iss | Issuer — who created the token |
aud | Audience — who the token is intended for |
The crucial point: a JWT is encoded, not encrypted. Anyone with the token can read the header and payload. The signature does not hide the data — it only proves the token was not altered. Never put secrets in a JWT payload.
JWT Decoder: Free Online Tool vs Other Methods
You can decode a JWT in code or by hand, but a decoder is fastest for debugging. Here is the comparison — with a privacy warning.
| Method | Speed | Privacy | Best for |
|---|---|---|---|
| FindUtils JWT Decoder (Free) | Instant | Client-side, token never uploaded | Safe quick debugging |
| Server-based JWT decoders | Instant | Token sent to a third-party server | Risky — avoid with real tokens |
| Decoding in code | Fast | Local | Inside application logic |
| Manual Base64 decoding | Slow | Local | Learning the format |
The honest and important tradeoff: many online JWT decoders send your token to their server to decode it. A real JWT is a live credential — pasting it into a server-side tool hands a stranger a working key to an account. Only ever decode real tokens with a tool that processes them client-side, like the FindUtils JWT Decoder, or decode them locally in code.
Common JWT Mistakes and How to Fix Them
Mistake 1: Pasting a Real Token Into a Server-Side Decoder
A live JWT is a credential. Pasting it into a tool that uploads it exposes the account. Fix it by only using a client-side decoder for real tokens.
Mistake 2: Assuming a JWT Is Encrypted
JWT payloads are readable by anyone with the token. Fix it by never storing passwords, secrets, or sensitive personal data in the payload.
Mistake 3: Trusting a Decoded Token Without Verifying the Signature
Decoding shows the contents but does not prove the token is genuine. Fix it by always verifying the signature on the server before trusting any claim.
Mistake 4: Ignoring the Expiry Claim
A token past its exp time is invalid even if it decodes fine. Fix it by checking the exp claim whenever a request is unexpectedly rejected.
Mistake 5: Confusing the Algorithm
A token's alg header must match what the server expects. Fix it by confirming the algorithm in the decoded header against your server's configuration.
Tools Used in This Guide
- JWT Decoder — Decode and inspect JSON Web Tokens client-side
- JWT Generator — Create signed JSON Web Tokens for testing
- JSON Formatter — Format the decoded payload for readability
- Base64 Encoder — Encode and decode the Base64URL parts manually
FAQ
Q1: Is the JWT decoder free to use? A: Yes. The FindUtils JWT Decoder is completely free with no signup and no usage limits. It decodes tokens in your browser — the token is never uploaded to a server.
Q2: What is the best free JWT decoder online in 2026? A: FindUtils offers one of the best free JWT decoders available. It shows the header, payload, and claims of any token and, crucially, processes everything client-side so your token stays private.
Q3: Is it safe to decode a JWT online? A: Only with a client-side decoder. A real JWT is a live credential. The FindUtils JWT Decoder processes tokens entirely in your browser, so they are never transmitted. Never paste a real token into a tool that uploads it.
Q4: Is a JWT encrypted? A: No. A JWT is encoded, not encrypted. Anyone with the token can read the header and payload. The signature only proves the token was not tampered with — it does not hide the contents.
Q5: How do I check if a JWT is expired?
A: Decode the token and look at the exp claim, which is a Unix timestamp. Convert it to a readable date — if it is in the past, the token has expired and will be rejected.
Q6: Can I trust the data in a decoded JWT? A: Decoding shows what a token claims, but does not prove it is genuine. The server must verify the token's signature before trusting any claim. Never make security decisions on a decoded-but-unverified token.
Q7: What are the three parts of a JWT? A: A JWT has a header (signing algorithm and type), a payload (the claims and data), and a signature (which verifies integrity). The three parts are Base64URL-encoded and separated by dots.
Next Steps
- Generate test tokens with the JWT Generator
- Format the decoded payload with the JSON Formatter
- Encode and decode token parts with the Base64 Encoder
- Read the complete guide to online security tools for more free utilities