JWT Decoder

FreePrivateDecode only

Paste a JWT to inspect the header and payload. Decoding runs locally; signatures are not verified.

JWT

Header

Payload

Claims

N/A

Ctrl+Enter Decode

JWT Decoder Online

JSON Web Tokens pack a header, payload, and signature into three Base64url segments. Paste a token from OAuth flows, APIs, or localStorage to inspect decoded JSON claims, useful for debugging iss, aud, sub, and exp without shipping secrets to a third party.

Where Is This Useful?

Auth debugging

Confirm scopes, tenant IDs, and clock skew when tokens fail. Copy decoded header/payload into the JSON Formatter or compare two captures with JSON Diff.

Learning OIDC

Compare ID token vs access token JSON side by side. Read nested claims with the JSONPath tester once you know the paths you care about.

Privacy-first

Decode locally, which is ideal when tokens contain PII you do not want on random paste sites. Nothing is uploaded; same privacy model as the JSON Repair and formatter tools.

How to Use

Paste the full JWT string (three segments separated by dots)
Click Decode or press Ctrl+Enter
Read header & payload JSON; check the Claims box for exp when present

What You See

Header: typically alg and typ
Payload: registered and custom claims as JSON
Signature segment: shown as opaque text (not verified here)
exp: human-readable UTC time when the claim exists

Security Notes

Decoding is not verifying. Anyone can Base64-decode a JWT; trust comes from cryptographic signature checks with the issuer's keys. Never treat decoded content alone as proof of authenticity.

Frequently Asked Questions

Are signatures verified?

No. This tool only Base64url-decodes the header and payload. Use your auth library or JWKS to verify signatures in production.

Is the token sent to a server?

No. Decoding runs entirely in your browser.

What about exp?

When an exp claim exists as a Unix timestamp, the tool shows an ISO time and whether it looks expired relative to your device clock.