JWT Decoder Online (Free) - Decode JWT Tokens
A JSON Web Token looks like a wall of random characters, but it actually carries readable data about who a user is and when their session expires. In this guide you will learn what a JWT is made of, how to read its claims, and how to check whether one has expired using the free JWT Decoder. The whole process runs in your browser, so even production tokens stay on your own device and are never uploaded to a server.
What a JWT is and how it is structured
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is made of three parts separated by dots, in the form header.payload.signature.
Each part is Base64url-encoded JSON (except the signature, which is raw bytes):
- Header: describes the token type and the signing algorithm, for example HS256 or RS256.
- Payload: holds the claims - the actual data, such as the subject (sub), issued-at time (iat), and expiry (exp).
- Signature: a cryptographic hash of the header and payload, used to verify the token has not been tampered with.
Decoding a JWT just reverses the Base64url encoding to reveal the JSON. It is important to understand that decoding does NOT verify the signature - it only reveals what is inside. Anyone can read a JWT, so never put secrets in the payload.
How to use the JWT Decoder
Reading a token takes seconds:
- Open the JWT Decoder.
- Paste your token (the long string with two dots) into the input box.
- The tool splits it on the dots and Base64url-decodes each section automatically.
- Read the header and payload rendered as formatted, readable JSON.
- Check the expiry status, which is worked out from the exp claim against the current time.
There is nothing to install and no sign-up. Because everything happens locally, you can safely decode tokens from staging or production environments.
Example: decoding a token
Suppose you have this token (shortened for clarity):
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0Iiwibm FtZSI6IkphbmUiLCJleHAiOjE3MDAwMDAwMDB9.abc123
The decoder returns three readable pieces:
| Part | Decoded content |
|---|---|
| Header | alg: HS256, typ: JWT |
| Payload | sub: 1234, name: Jane, exp: 1700000000 |
| Signature | opaque bytes (not verified) |
The exp value is a Unix timestamp. If it is in the past, the token is expired and most servers will reject it. The decoder converts that number into a human-readable date so you can tell at a glance.
Common use cases
Developers reach for a JWT decoder constantly:
- Debugging auth: confirm the right user id, roles or scopes are in the token your API receives.
- Checking expiry: see exactly when a session or access token will stop working.
- Inspecting third-party tokens: read what an OAuth or OpenID Connect provider issued.
- Front-end work: verify the claims your single-page app reads from local storage.
- Learning: understand how a framework you use builds its tokens.
For related encoding work, the Base64 tool helps you encode and decode the underlying segments by hand, and the JSON Formatter pretty-prints the payload once you have it.
Tips and common mistakes
A few gotchas trip people up:
- Decoding is not validation. Seeing valid JSON does not mean the signature is genuine. Always verify the signature server-side with the secret or public key.
- Base64url is not plain Base64. JWTs replace plus and slash characters and drop padding, which is why a standard Base64 decoder sometimes fails. A proper JWT decoder handles this.
- Tokens are not encrypted. The payload is only encoded, so treat anything inside it as public.
- Watch the clock. The exp and nbf (not-before) claims are in seconds, not milliseconds. A token that looks expired may just be a timezone or unit mix-up.
- Trim whitespace. A stray space or newline pasted with the token can break the split on dots.
Privacy: your token never leaves your device
Auth tokens are sensitive - a valid access token can impersonate a user. That is exactly why this JWT Decoder does all of its work in your browser using JavaScript. Nothing is sent to a server, logged, or stored. When you close the tab, the token is gone.
This local-only approach means you can confidently inspect real tokens during debugging without worrying that a third party will capture them. For more developer utilities that work the same private way, browse the dev tools category or see all tools.
Frequently asked questions
Is the JWT Decoder free?
Yes, it is completely free with no sign-up, no account and no limits. Paste any token and read its contents instantly in your browser.
Is my token uploaded or stored anywhere?
No. The decoder runs entirely in your browser using JavaScript. Your token is never sent to a server, logged or saved, so even production tokens stay private on your device.
Does decoding a JWT verify the signature?
No. Decoding only Base64url-decodes the header and payload to show what is inside. It does not check the signature. You must verify the signature server-side with the signing key to trust a token.
Can a JWT be read by anyone?
Yes. A JWT is only encoded, not encrypted, so anyone holding it can decode and read the payload. Never store passwords or secrets inside a token.
How do I check if a JWT is expired?
Look at the exp claim, a Unix timestamp in seconds. If it is earlier than the current time the token is expired. The decoder converts exp into a readable date and flags expired tokens for you.
Sources
Share this article
Send it to a teammate or save the link for later.
