All Tools
free4dev

100+ free developer tools. All private. All instant.

No signups. No servers. Everything runs in your browser.

Explore Tools →

JWT Decoder

100% private

Free online JWT decoder — paste any JSON Web Token to instantly view the header, payload, and expiry. 100% browser-based, your token never leaves your machine.
free4dev

More tools you'll actually use

JWT Decoder · UUID Generator · Hash Generator · Regex Tester · and many more.

Browse All Tools →

The online JWT decoder instantly parses any JSON Web Token and displays its three components in a readable format: the header (algorithm and token type), the payload (claims such as sub, iss, exp, iat, and any custom fields), and the Base64url-encoded signature. Unlike jwt.ms or jwt.io, this JWT decoder tool runs entirely in your browser — your token is never sent to a remote server, stored in a log, or shared with any third party.

The decoder highlights the token expiry (exp claim) in human-readable local time so you can instantly see whether a JWT is still valid or has expired — a common cause of 401 errors in production. All standard JWT algorithms are supported for display: HS256, RS256, ES256, and all SHA-384 and SHA-512 variants. The tool also flags malformed tokens with clear error messages, covering missing segments, invalid Base64url padding, and non-JSON payloads.

Whether you are debugging a Spring Boot JWT decoder configuration, inspecting a Flutter jwt_decoder package output, decoding a Python PyJWT token, or checking what the jsonwebtoken npm package produces, this tool decodes any standard JWT in milliseconds. Paste the token, inspect the claims, and move on — no signup, no install, no server calls.

How It Works

  1. Paste your JWT token (the three-part dot-separated string) into the input field
  2. The decoder instantly splits the token into header, payload, and signature segments
  3. Each Base64url-encoded segment is decoded and displayed as formatted JSON
  4. The exp claim is automatically converted to a human-readable expiry date with valid or expired status

Features

  • Decode any JWT instantly — no server, no signup required
  • Displays header, payload, and signature in formatted, syntax-highlighted JSON
  • Highlights token expiry (exp) with human-readable date and expired / valid badge
  • Supports all JWT algorithms: HS256, RS256, ES256, PS256, and all SHA-384 / SHA-512 variants
  • Flags malformed tokens with specific error messages
  • Copy decoded JSON with one click
  • 100% client-side: your token never leaves the browser

Examples

Decode a HS256 JWT

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBbGljZSIsImlhdCI6MTcxNzY4MDAwMCwiZXhwIjoxNzE3NzY2NDAwfQ.signature

Output

Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "user_123", "name": "Alice", "iat": 1717680000, "exp": 1717766400 }

Inspect an OAuth id_token (RS256)

Input

eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiYzEyMyIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTIzNDU2Nzg5IiwiYXVkIjoibXlhcHAiLCJleHAiOjE3MTc3NjY0MDAsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20ifQ.signature

Output

Header: { "alg": "RS256", "kid": "abc123", "typ": "JWT" }
Payload: { "iss": "https://accounts.google.com", "sub": "11234567899", "aud": "myapp", "exp": 1717766400, "email": "alice@example.com" }

Common Use Cases

  • Debugging 401 Unauthorized errors by inspecting token claims and expiry date
  • Verifying which algorithm a third-party OAuth or SSO provider uses in its JWTs
  • Checking custom claims returned by an identity provider (Auth0, Okta, Keycloak)
  • Inspecting tokens issued by Spring Boot, Python PyJWT, or Flutter jwt_decoder
  • Understanding the difference between id_token and access_token payloads in OAuth 2.0

Developer Tips

  • JWTs are signed but not encrypted — never put passwords, card numbers, or secrets in the payload; anyone with the token can decode it
  • The exp claim is a Unix timestamp in seconds, not milliseconds — in JavaScript use new Date(exp * 1000) to get a readable date
  • If your JWT has only 2 dots and the signature is empty, it is an unsecured JWT (alg: none) — treat it as untrusted in any security context
  • To verify a JWT signature (not just decode it), always use your backend library — client-side verification is not sufficient for access control

Frequently Asked Questions

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. A JWT consists of three Base64url-encoded parts separated by dots: the header (algorithm and type), the payload (claims), and the signature. JWTs are widely used for API authentication, single sign-on (SSO), and stateless session management.
Can this tool verify a JWT signature?
No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/EC algorithms like RS256). This tool only decodes and displays the header and payload — it does not verify authenticity. To verify a JWT, use your server-side library (e.g., jsonwebtoken for Node.js, PyJWT for Python, spring-security-oauth2 for Spring Boot) with the appropriate secret or public key.
Is it safe to paste my JWT here?
Yes. All decoding happens entirely in your browser using JavaScript. Your JWT is never transmitted to any server, stored in any database, or logged anywhere. That said, treat JWTs as sensitive credentials — avoid pasting live production access tokens into any online tool unless you have confirmed its privacy model. This tool is 100% client-side by design.
What claims are in the JWT payload?
Standard registered claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time as Unix timestamp in seconds), iat (issued at), nbf (not before), and jti (JWT ID). Beyond these, any custom claims defined by your application or identity provider may appear. This JWT decoder displays all claims and converts the exp field into a human-readable expiration status.
What JWT algorithms are supported?
The decoder can display tokens using any algorithm because decoding does not require the key. Supported algorithm types include: symmetric HMAC (HS256, HS384, HS512), asymmetric RSA (RS256, RS384, RS512), ECDSA (ES256, ES384, ES512), and RSA-PSS (PS256, PS384, PS512). The algorithm is shown in the decoded header section.
What is the difference between this JWT decoder and jwt.io or jwt.ms?
jwt.io (by Auth0) and jwt.ms (by Microsoft) are both browser-based online JWT decoder tools. This tool offers the same claim inspection and expiry highlighting with a clean, ad-light interface and identical privacy guarantees — decoding runs entirely in your browser. The main difference is that jwt.io also supports signature verification with a shared secret, which this tool does not. If you only need to inspect claims, this free online JWT decoder tool is fast and private.
How do I decode a JWT in Python, Node.js, Java, or Flutter?
In Node.js, use jwt.decode(token) from the jsonwebtoken npm package to decode without verification. In Python, use jwt.decode(token, options={"verify_signature": False}) from PyJWT. In Spring Boot, configure a JwtDecoder bean via spring-security-oauth2-resource-server. In Flutter, use JwtDecoder.decode(token) from the jwt_decoder package. For quick one-off inspection without writing code, paste the token into this online JWT decoder tool instead.
Encoding

Base64 Encoder Decoder

Free online Base64 encoder decoder — encode text to Base64 and decode Base64 strings instantly. 100% browser-based, no data sent to servers.

Encoding

URL Encoder Decoder

Free online URL encoder decoder — encode special characters to percent-encoded format and decode URLs instantly. Browser-based, no data sent to servers.

Formatting

JSON Formatter & Validator

Free online JSON formatter and validator. Beautify, validate, and minify JSON in your browser. Syntax errors shown with line numbers. No signup required.

Validators

JSON Validator

Free online JSON validator — check JSON syntax instantly, detect errors with exact line and column numbers. Supports schema validation. 100% browser-based.