🔍 JWT Decoder
Decode and inspect JSON Web Tokens. Header, payload, and signature - all decoded instantly in your browser.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1924995200
}SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cSignature cannot be verified without the secret key. Algorithm: HS256
📊 Key Data Points
HS256 vs RS256
HMAC (HS256) uses a shared secret. RSA (RS256) uses public/private key pair — required for multi-service architectures
exp claim
Token expiry as Unix timestamp — decoded to human-readable date by this tool
Base64URL encoding
JWT uses Base64URL (- and _ instead of + and /) — different from standard Base64
JWT Decoder — Decode and Inspect JSON Web Tokens -- Complete USA Guide 2026
JWT tokens are Base64URL-encoded strings that contain claims about a user or session. When authentication breaks, understanding the exact contents of a JWT — the algorithm used, the expiry time, the issuer, and the custom claims — is the first debugging step.
This decoder decodes any JWT token and shows the header, payload, and signature details. Runs entirely in your browser — your tokens are never transmitted.
**Long-tail searches answered here:** jwt decoder online free, decode jwt token to see claims browser, jwt token inspector no server free.
For timestamp fields, pair with Epoch Converter.
🔬 How This Calculator Works
Splits the JWT into its three parts (header, payload, signature) and Base64URL-decodes the header and payload. Displays all claims with human-readable formatting: exp and iat timestamps are converted to readable dates, algorithm names are explained, and custom claims are formatted as JSON.
Verification is not performed (requires the secret key), but the decoded payload shows all the information needed to debug authentication issues.
✅ What You Can Calculate
Header and payload decoding
Decodes the Base64URL-encoded header and payload to JSON. Shows algorithm (alg), token type (typ), expiry (exp), issued-at (iat), issuer (iss), subject (sub), and all custom claims.
Timestamp conversion
exp and iat Unix timestamps are converted to human-readable dates. Instantly see whether the token has expired or how long it is valid.
Algorithm display
Shows which JWT algorithm was used (HS256, RS256, ES256) and explains what each means for security and verification.
Signature note
Notes that the signature is present but not verified (verification requires the secret key or public key). Prevents false confidence from an unverified signature.
🎯 Real Scenarios & Use Cases
Debugging authentication failures
Your API is returning 401 Unauthorized. Decode the JWT being sent to see whether it has expired, is missing required claims, or was issued by the wrong service.
OAuth and OIDC token inspection
Access tokens, refresh tokens, and ID tokens from OAuth and OIDC flows are all JWTs. Decode them here to inspect the claims and debug integration issues.
Understanding JWT structure
Learning about JWT for the first time. See the three-part structure (header.payload.signature) and how each part is Base64URL-encoded and dot-separated.
Verifying token contents in tests
Your test is failing because a JWT claim is wrong. Decode the token your test generates here to see the exact payload rather than printing it in your test runner.
💡 Pro Tips for Accurate Results
Never paste production JWTs into online tools — except this one runs entirely in your browser. But as a general rule, treat JWTs like passwords: they grant access to your system for their lifetime.
Check exp first when debugging. The most common JWT authentication failure is a token that has expired. The exp claim decoded here tells you immediately if that is the issue.
RS256 requires public key verification. HS256 tokens can be verified with the shared secret. RS256 tokens require the public key from the JWKS endpoint. This tool decodes but does not verify — use a library for verification.
iat (issued at) vs nbf (not before). iat is when the token was issued. nbf is when it becomes valid (useful for tokens issued in advance). Both are Unix timestamps — decoded to readable dates here.
🔗 Use These Together
🏁 Bottom Line
JWT debugging is the first step when authentication breaks in a microservice or OAuth flow. This decoder shows exactly what claims are in your token and whether it has expired — without transmitting the token anywhere. For timestamp fields: Epoch Converter. For key information: RSA Key Info.
Is it safe to paste a production JWT token into this decoder?
Yes — this tool runs entirely in your browser. The token is decoded using JavaScript's atob() function on your device; nothing is transmitted to any server. Verify this yourself: open DevTools > Network while decoding a token and observe zero outbound requests. This is the key reason to use a browser-based JWT decoder rather than server-based tools when working with production tokens, which contain real user identity, permissions, and session data.
What are the three parts of a JWT token?
A JWT has three Base64URL-encoded parts separated by dots: [header].[payload].[signature]. The header specifies the token type (typ: JWT) and signing algorithm (alg: HS256, RS256, ES256). The payload contains claims — sub (subject/user ID), iat (issued at), exp (expiration), aud (audience), iss (issuer), plus any custom claims. The signature proves the token was issued by someone holding the signing key and has not been modified. This tool decodes the header and payload; verifying the signature requires the signing key.
Why does the decoder show the token as expired?
The exp claim is a Unix timestamp (seconds since January 1, 1970). If the current time is past that timestamp, the token is expired. The decoder compares exp against your local browser time. If exp is a 13-digit number instead of 10-digit, it may be in milliseconds instead of seconds — divide by 1000 to check. A token that expires in 1970 has this problem.
What signing algorithms do JWTs support and which should I use?
HMAC-based (symmetric): HS256, HS384, HS512 — same secret to sign and verify. RSA-based (asymmetric): RS256, RS384, RS512 — private key signs, public key verifies. EC-based: ES256, ES384, ES512 — faster and shorter signatures than RSA with equivalent security. For server-to-server with shared secret: HS256 is simpler. For APIs where clients need to verify tokens without the signing secret (public JWKS endpoint): RS256 or ES256. ES256 is preferred over RS256 for new systems.
What is the nbf claim and why does it matter?
nbf stands for 'not before' — a Unix timestamp before which the token must not be accepted. Less common than exp but important when pre-generating tokens for future actions (scheduled password reset emails), ensuring tokens from a rotation are not usable until the rotation takes effect, or coordinating token usage across distributed systems with clock skew. A token with a future nbf is not yet valid even if structurally correct and not expired.
How do I check if a JWT is valid without the signing key?
Without the signing key, you can only check structural validity and claims — not cryptographic integrity. This tool verifies: three Base64URL-encoded sections, valid JSON in header and payload, and exp claim not in the past. It cannot verify the signature, which is the only way to confirm the token was issued by your expected authority. To verify signature, you need the HMAC secret or RSA/EC public key from the issuer's JWKS endpoint.
What other tools on this site work with JWTs and authentication?
The Base64 Encoder can manually decode individual JWT parts (each section is Base64URL encoded). The Hash Generator produces HMAC-SHA256 digests used in HS256 token signatures. The Password Generator creates cryptographically secure HMAC secrets for JWT signing. The JSON Formatter helps read the surrounding API response structure that contains JWTs. All are in the Dev Tools section.