JWT Decoder

All tools

Paste a JWT token below to decode the header and payload. Decoding does not verify the signature.

alg
typ
exp (UTC)

Note: this tool decodes only. It does not validate or verify signatures.

What is a JWT?

JWT (JSON Web Token) is a compact token format used for authentication and authorization.

A JWT usually has three parts: header, payload, and signature. This tool decodes header and payload locally in your browser and does not verify the signature.

How to use the JWT Decoder

  1. Paste a JWT token into the input field.
  2. The tool will decode the header and payload as formatted JSON.
  3. Copy the decoded JSON if you need it for debugging.

Tips

  • If decoding fails, check that your token has three dot-separated parts.
  • Claims like exp, iat, and nbf are usually UNIX seconds.
  • If your token was copied with spaces or line breaks, remove them.
  • Signature verification requires the secret or public key and is not done here.

Related guides

Learn the workflow behind this tool and what to check next.

JWT inspection checks before troubleshooting auth

Decoding a JWT helps you verify claims and expiration metadata, but it does not prove that the token is trusted or accepted by your backend.

Expiration claims

Check exp, iat, nbf, timezone assumptions, and clock skew before investigating sessions or refresh token flows.

Audience and issuer

Confirm aud, iss, tenant, client_id, and environment values match the service that will validate the token.

Role and scope claims

Inspect scopes, roles, permissions, and feature flags when an authenticated request is accepted but unauthorized.

Signature caution

Decoded content is not verification. Never treat an unsigned or unverified token as proof of identity.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

JWT Decoder FAQ

Does this tool verify the JWT signature?
No. It only decodes the header and payload.
Is my token sent to the server?
No. Decoding happens locally in your browser.
Why do I see an exp field?
exp is the expiration time claim, usually stored as UNIX seconds.
Can I decode an encrypted JWT (JWE)?
This tool is intended for standard signed JWTs (JWS). Encrypted tokens (JWE) require decryption keys.