Is this JWT Decoder free?

Yes. All tools on JSONViewerTool.com are free to use without registration.

Is my data uploaded to a server?

No. The tools are designed to run in your browser. If a tool fetches a URL, it only requests that URL from your browser.

Can I use this tool on mobile?

Yes. The UI is responsive and works on modern mobile browsers, though very large files may be slower.

Does this tool verify JWT signatures?

This decoder is intended for inspection. Signature verification requires the correct secret or public key and is not performed unless explicitly stated.

Decoding

Auto-decode on change Show humanized time claims

Left JWT Token

Right Decoded JSON

Header

Payload

Ready. Paste a JWT token on the left and click “Decode JWT”.

100% client-side • No data is uploaded

Online JWT Decoder

Decode JSON Web Tokens (JWT) directly in your browser. View header and payload claims like sub, exp, iat, and more. Signature verification is not performed.

JWT Decoder

JSON Web Tokens (JWTs) are everywhere in modern authentication systems. They carry user identity, roles, scopes, and other claims between services without a server-side session. When a request fails with 401 Unauthorized or 403 Forbidden, the fastest way to debug is to decode the JWT and inspect its claims. This JWT decoder parses the token in your browser, displays the header and payload as readable JSON, and helps you quickly spot issues like expired tokens, incorrect audiences, or missing roles.

JWT structure explained

A JWT is made of three Base64URL-encoded parts separated by dots: header, payload, and signature. The header tells you which algorithm was used (for example, HS256 or RS256). The payload is a JSON object containing claims such as sub (subject), exp (expiry), and aud (audience). The signature is created by signing the header and payload with a secret or private key. Decoding lets you read header and payload; verifying requires the key.

When to decode a JWT

Authorization failures: Check aud, iss, scopes, or role claims when APIs reject tokens.
Expiration issues: Inspect exp, iat, and nbf to confirm timing.
Custom claims: Verify tenant IDs, feature flags, or user attributes added by your identity provider.
Token size: Large tokens can exceed header limits. Decoding helps identify overly large claims.
Security audits: Ensure sensitive data is not stored inside tokens.

How to use the JWT decoder

Paste the full JWT into the input area.
The tool splits the token by dots and decodes the header and payload.
Review the pretty-printed JSON and copy parts as needed.

Important: Decoding is not verification. A decoded token can be tampered with if it is not verified using the secret or public key.

Example: decode a JWT payload

Given a JWT like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkF2YSBDaGVuIiwicm9sZXMiOlsiYWRtaW4iLCJlZGl0b3IiXSwiZXhwIjoxOTAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The decoded payload might look like:

{
  "sub": "1234567890",
  "name": "Ava Chen",
  "roles": ["admin", "editor"],
  "exp": 1900000000
}

From here, you can see the user, roles, and expiration. This is often enough to diagnose why a user cannot access a specific route.

Common errors and fixes

Token has fewer than three parts: A JWT must have exactly two dots. If it does not, it is malformed.
Base64URL padding issues: JWTs omit padding. This decoder handles it, but if you copy a partial token, decoding will fail.
Expired token: If exp is in the past, refresh the token or request a new one.
Wrong audience: If aud does not match your API, the token will be rejected. Adjust your auth configuration.
Clock skew: If nbf is in the future, your server clock may be ahead. Check system time.

Best practices for JWT usage

Keep tokens small. Avoid embedding large payloads or sensitive data.
Use short expiration times and refresh tokens for longer sessions.
Always verify the signature on the server.
Prefer modern algorithms like RS256 or ES256 for stronger security.
Use JSON Validator when editing JWT payloads in test environments.

Interpreting common claims

Standard claims include iss (issuer), sub (subject), aud (audience), and exp (expiration). If aud does not match your API, the token will be rejected. If iss is not the expected identity provider, your gateway may block it. Custom claims vary by system, so always confirm expected keys with your auth provider’s documentation.

Time-based troubleshooting

JWT timestamps are in Unix seconds. If a token appears valid but the server still rejects it, check for clock skew between servers. Even a few minutes of difference can cause nbf (not before) and exp to fail. Many systems allow a small leeway window; if yours does not, consider adding one.

Token size and performance

Large tokens can exceed HTTP header size limits and cause unexpected 431 errors. If your decoded payload looks huge, move large claims to a user profile endpoint instead of embedding them in the JWT. Keep only essential identity and authorization data inside the token.

Security reminders

Do not store sensitive data like passwords or credit card numbers in JWTs. While the payload is not encrypted, it is easily decoded by anyone who gets access to the token. If you need confidential data, use JWE or store it server-side instead.

Understanding the signature

The signature portion of a JWT ensures the header and payload were not altered. You cannot validate the signature without the correct secret or public key, but you can still inspect the algorithm in the header to confirm what should be used. If the header lists an unexpected algorithm or none, treat the token as untrusted and verify your auth configuration immediately.

Using decoded data in debugging

When troubleshooting, copy the decoded payload into a ticket or incident report and highlight the key claims such as exp, aud, and roles. This makes it easy for other engineers to reproduce the issue. Avoid sharing full tokens in public channels; share only the decoded claims that are necessary for analysis.

Local-only processing

This decoder runs entirely in your browser. No requests are sent to a server, which keeps sensitive authentication data on your device and minimizes exposure.

For added safety, clear the input field after debugging and avoid saving tokens in shared documents.

FAQs

Is it safe to paste my JWT here? This tool runs in your browser and does not upload tokens. Still, avoid sharing production tokens publicly.

Can this tool verify signatures? No. It only decodes. Verification requires your secret or public key.

What is Base64URL? It is a URL-safe Base64 variant that uses - and _ instead of + and / and omits padding.

Why does my decoded payload show numeric dates? JWT timestamps are typically Unix epoch seconds. Convert them to human-readable time to check validity.

Can I use this for JWS or JWE? This tool is for standard signed JWTs (JWS). Encrypted JWTs (JWE) require decryption keys.

How do I generate a test token? Use your auth server or a trusted library, then decode it here to verify its contents.