JWT Decoder — Decode & Inspect JSON Web Tokens Online [2026]
Decode and inspect JSON Web Tokens (JWT) instantly. View header, payload, and signature. Check expiration, claims, and token structure. Free, runs in your browser.
What is JWT Decoder?
How to Use JWT Decoder
1. Paste your JWT token (the full eyJ... string) into the input box. 2. The decoder instantly splits the token into Header, Payload, and Signature sections. 3. Review the decoded claims — check the exp (expiration), iat (issued at), sub (subject), and any custom claims. 4. The tool highlights whether the token is expired based on the exp claim. Note: This tool decodes only — it does not verify the signature. Never trust a JWT without server-side signature verification.
How JWT Decoder Works
Common Use Cases
- Debugging authentication issues by inspecting token claims
- Checking JWT expiration time during development
- Verifying the correct user ID, roles, or permissions are in the payload
- Understanding what data is being sent in API authorization headers
- Learning JWT structure for educational or security research purposes
Frequently Asked Questions
Is it safe to paste my JWT into this decoder?▼
This tool runs entirely in your browser — your JWT is never sent to any server. However, be cautious with production tokens containing sensitive user data. For maximum safety, revoke tokens after debugging or use test tokens. Never share JWTs with untrusted third-party tools.
What does "signature verification" mean and why doesn't this tool do it?▼
JWT signature verification confirms the token was issued by a trusted authority and hasn't been tampered with. Verification requires the secret key (HS256) or public key (RS256) used to sign the token. This tool only decodes the visible data — it cannot verify signatures without your private key.
What is the difference between HS256 and RS256?▼
HS256 (HMAC-SHA256) uses a shared secret key — both issuer and verifier use the same key. RS256 (RSA-SHA256) uses a public/private key pair — the issuer signs with the private key, and anyone can verify with the public key. RS256 is preferred for distributed systems since you can share the public key without exposing your signing secret.
Why is my JWT showing as expired?▼
The exp claim is a Unix timestamp. The tool compares it to the current time and flags it as expired if exp < now. Common causes: the token TTL is short (15-60 minutes is typical), a clock skew issue between servers, or the token was intentionally short-lived for security.
Can a JWT be tampered with?▼
The payload is only Base64URL encoded, not encrypted — anyone can decode and read it. However, changing the payload invalidates the signature, so tampering is detectable during server-side verification. Never store secrets in a JWT payload. If you need the payload to be confidential, use JWE (JSON Web Encryption) instead.
Related Tools
Explore More Free Tools
Discover more tools from our network — all free, browser-based, and privacy-first.