JWT Decoder

Paste a JWT token to decode it

Decodes header · payload · claims · expiry · HS256 signature verification

Also accepts Bearer eyJ… format

Related Tools

See all ->
Base64 Encoder/DecoderEncode & decode instantlyHash GeneratorMD5 · SHA-256 · SHA-512Password GeneratorSecure & entropy-scoredURL Encoder/DecoderPercent-encode & decodeTimestamp ConverterEpoch → date, batch, timezonesAPI Request Generator & TesterGenerate · Test · 12 langsJSON FormatterFormat & validateRegex TesterTest & debug patterns

JWT Decoder Online Free — Read Claims, Verify Signatures & Check Expiry

Updated May 17, 2026
Share & Support

What's included

Features

Decode any JWT instantly — Base64URL-decodes header and payload into formatted, syntax-highlighted JSON
Claims table with plain-English descriptions for 20+ standard JWT (RFC 7519) and OIDC claims
Time-based claims (exp, iat, nbf, auth_time) converted to human-readable date strings alongside Unix timestamps
Live expiry countdown — colour-coded progress bar and per-second timer show exactly how long until the token expires
HS256 HMAC-SHA256 signature verification via the browser's Web Crypto API — no server, no network request; generate the matching HMAC with our Hash Generator
Bearer prefix auto-strip — paste directly from HTTP Authorization headers without editing; decode URL-encoded headers with our URL Encoder / Decoder
alg: none security warning — amber alert for tokens with no signing algorithm
Syntax highlighting for keys, strings, numbers, and booleans across both panels; view the raw JSON in our JSON Formatter
Sample JWT pre-loaded with name, email, roles, scope, iss, aud, and a far-future exp for instant testing
100% client-side — all decoding and verification runs in the browser, nothing is ever sent to a server

About this tool

Decode and Debug JWT Tokens Instantly — No Install, No Sign-Up

Runs in your browser
No install or signup
Free forever

You're debugging a 401 Unauthorized error and you need to know what's actually inside the JWT. Is it expired? Does it have the right roles? Is the issuer or audience wrong? Paste the token here and find out in two seconds.

Every JWT has three dot-separated parts. The header says which signing algorithm was used (HS256, RS256, ES256). The payload carries the claims — user ID, email, roles, scope, expiry time. The signature proves neither was tampered with. This decoder Base64URL-decodes the header and payload instantly and shows both as formatted, syntax-highlighted JSON with plain-English descriptions for every recognised claim.

Time-based claims that look like 1715990400 are converted to human-readable dates automatically. If there's an exp (expiry) claim, a live countdown ticks down every second so you can watch a token expire in real time — useful when testing token refresh flows.

For HS256 tokens, you can also verify the signature directly in your browser using the Web Crypto API. Enter the shared secret, click Verify, and get an immediate pass or fail — no server, no code.

This tool handles tokens from Auth0, Firebase, AWS Cognito, Google OAuth, Keycloak, Okta, Azure AD, NextAuth.js, and any other standards-compliant identity provider. Paste a full Authorization header with "Bearer " prefix — it's stripped automatically.

Everything runs 100% in your browser. Nothing is uploaded anywhere. Safe for production tokens with real user data.

Step by step

How to Use

  1. 1
    Paste your JWT token into the input boxPaste any JSON Web Token into the large input box at the top. You can paste the raw token (eyJ...) or the full Bearer eyJ... Authorization header value — the "Bearer " prefix is stripped automatically. The decoder begins parsing the moment you paste. Not sure where to start? Click Sample JWT to load a pre-built example token with name, email, roles, scope, iss, aud, and a far-future expiry.
  2. 2
    Read the decoded Header and Payload panelsThe tool splits the token into its three dot-separated segments and Base64URL-decodes the header and payload into formatted, syntax-highlighted JSON. The Header panel shows alg (signing algorithm) and typ. The Payload panel shows all claims, followed by a claims table that lists every recognised field (iss, sub, aud, exp, iat, roles, scope, email, etc.) with a plain-English description of what each claim means.
  3. 3
    Check the expiry status and live countdownIf the token contains an exp (Expiration Time) claim, a colour-coded badge appears in the header bar — Valid (green), Expires soon (amber), or Expired (red) — with a live countdown that ticks every second. A progress bar shows what percentage of the token's lifetime has elapsed. Time-based claims (exp, iat, nbf, auth_time) are displayed as both Unix timestamps and human-readable date strings.
  4. 4
    Verify an HS256 signature (optional)For tokens using alg: HS256, scroll to the Signature panel. Enter your shared HMAC secret in the input field (toggle visibility with the eye button) and click Verify Signature. The tool uses the browser's Web Crypto API to re-compute the expected HMAC-SHA256 and compare it against the token — no server involved. A green "Signature is valid" or red "Signature is invalid" result appears instantly. For RS256 or ES256 tokens, a note explains that server-side verification is needed.
  5. 5
    Watch for security warningsIf the token contains alg: none — meaning no cryptographic signature — an amber warning appears in the Signature panel immediately. Tokens with alg: none are completely unsigned and allow an attacker to forge arbitrary claims. Any production server must reject alg: none tokens entirely. Copy any panel's JSON using the Copy button for use in other tools or log analysis.

Real-world uses

Common Use Cases

{}
Debug a 401 Unauthorized — see the exact claims and expiry
API call returning 401? Paste the Authorization Bearer token from your request header. You'll instantly see the decoded claims, roles, scope, issuer, and audience — and whether the token expired. No code, no curl, no debugging session needed.
Verify an HS256 JWT signature without running any code
Paste the JWT, enter your shared HMAC secret in the Signature panel, and click Verify. The tool re-computes the expected HMAC-SHA256 signature using the Web Crypto API and confirms whether it matches — all in your browser, no server, no library install.
Watch a token expire in real time when testing refresh flows
The live countdown ticks every second against the exp claim. Use it when testing token refresh, session timeout, or rotation behaviour — issue a short-lived token in your dev environment and watch the countdown reach zero to confirm your refresh logic fires at the right moment.
Read what Auth0, Firebase, or Cognito is returning in the ID token
OpenID Connect ID tokens from Auth0, Firebase, Google, Keycloak, and AWS Cognito carry sub, email, name, picture, locale, and custom roles. Paste the token to see exactly what claims your identity provider is returning for each user — essential when debugging user attribute mapping or access control rules.
Audit a JWT for security issues before deploying
Check for alg:none (unsigned token — the tool warns you immediately), excessively long expiry windows, missing iss or aud claims that could allow token reuse across services, or sensitive PII in the payload that should never be JWT-encoded.
Understand what iss, sub, azp, jti, and at_hash mean
New to JWTs? Load the sample token, click every claim in the table, and read the plain-English description. This is the fastest way to understand JWT structure — no RFC reading, no documentation tabs, just click and read. Convert the exp timestamp to a readable date with our Timestamp Converter.

Got questions?

Frequently Asked Questions

Paste your JWT token into the input field. The decoder instantly reads the exp (Expiration Time) claim and shows you a live countdown — if the token is expired, you'll see a red "Expired" badge and exactly how long ago it expired. The payload panel shows all claims so you can spot wrong issuer (iss), audience (aud), or scope values that might cause a 401. This is faster than adding console.log statements or reading raw headers in DevTools.

Paste the full JWT into the input field — including or excluding the "Bearer " prefix (it's stripped automatically). The decoder instantly splits the token into its three parts and Base64URL-decodes the header and payload, displaying them as formatted, syntax-highlighted JSON. You don't need a secret key to read the claims — the header and payload are encoded, not encrypted, so anyone with the token string can read them. Every recognised claim (iss, sub, aud, exp, iat, roles, scope, email, etc.) is shown with a plain-English description.

Yes — all processing runs entirely in your browser. Decoding, signature verification, and expiry calculation all happen in client-side JavaScript using the Web Crypto API. Nothing is ever transmitted to any server. If you're handling production tokens with sensitive user data, you can disconnect from the internet before pasting to be completely certain nothing leaves your machine. Unlike jwt.io (which makes network requests), this tool is 100% client-side.

For HS256 (HMAC-SHA256) tokens: paste your JWT, scroll to the Signature panel, enter your shared secret, and click Verify. The tool uses the browser's Web Crypto API to re-compute the expected HMAC-SHA256 signature from the header and payload and compare it against the token — entirely in your browser, no server involved. For RS256 (RSA) or ES256 (ECDSA) tokens from identity providers like Auth0, Cognito, or Google, browser-side verification requires the public key and is not currently supported here — use your server-side JWT library for those.

The exp (Expiration Time) claim is a Unix timestamp — seconds since January 1, 1970. This tool automatically converts exp, iat (Issued At), nbf (Not Before), and auth_time to human-readable date-time strings alongside the raw Unix values, so you can read them instantly. It also shows a live countdown timer that ticks down every second, plus a colour-coded progress bar showing what percentage of the token's lifetime has elapsed.

When you copy an Authorization header value from browser DevTools, Postman, or an API client, it typically reads "Bearer eyJhbGci...". Paste it directly — the tool automatically strips the "Bearer " prefix (case-insensitive) before decoding, so you don't need to edit the string. You can also paste just the raw token if you prefer.

Decoding means reading the header and payload — it requires no secret and simply Base64URL-decodes the first two dot-separated segments. Anyone with the token string can decode it, which is why JWT payloads should never contain sensitive secrets like passwords or credit card numbers. Verifying means checking the cryptographic signature matches the header and payload using the secret or public key — proving the token was issued by a trusted party and hasn't been tampered with. Always verify JWTs on the server side before trusting their claims. Decoding without verifying is only for debugging.

Paste the token — it works with any standards-compliant identity provider. JWTs from Auth0, Firebase Authentication, AWS Cognito, Google OAuth 2.0, Keycloak, Okta, Azure AD, and NextAuth.js all follow the same RFC 7519 structure. OIDC-specific claims like sub, email, picture, locale, roles, scope, and azp (Authorized Party) are all recognised and shown with descriptions. These providers typically use RS256 (RSA-signed), so the signature can be decoded but not verified here without the public key.

alg:none means the JWT carries no cryptographic signature — it's a completely unsigned token. The JWT spec originally allowed this, but an attacker can exploit any server that accepts alg:none tokens by crafting arbitrary payloads with fake user IDs, elevated roles, or extended expiry times — no secret needed. This is CVE-2015-9235, a well-known critical vulnerability. This decoder shows an amber warning when it detects alg:none. A production server must reject tokens with alg:none entirely.

The security of a JWT comes from the signature, not from the encoding. The header and payload are Base64URL-encoded — which is trivially reversible — so anyone who obtains the token can read the claims inside it. This is by design: JWT is transparent, not encrypted. The signature at the end, computed from the header and payload using a secret key, is what prevents tampering. An attacker who modifies any claim will produce an invalid signature that the server will reject. Never put passwords, payment data, or private secrets in a JWT payload — only put data you are comfortable exposing.

These are the five core registered claims defined in RFC 7519. iss (Issuer) identifies who created and signed the token — typically an identity provider URL like https://accounts.google.com or https://your-tenant.auth0.com. sub (Subject) identifies the principal the token represents — usually a user ID or service account ID, unique within the issuer's namespace. aud (Audience) identifies the intended recipients of the token — your API server checks that its own identifier appears here before accepting the token. exp (Expiration Time) is a Unix timestamp after which the server must reject the token. iat (Issued At) is the Unix timestamp when the token was created, used for audit logging and to calculate the token's current age. Your server should validate all five claims on every request.

In JavaScript: const [header, payload] = token.split(".").slice(0, 2).map(part => JSON.parse(atob(part.replace(/-/g, "+").replace(/_/g, "/")))); — atob() decodes Base64, the replace calls convert Base64URL characters to standard Base64. In Python: import base64, json; parts = token.split("."); payload = json.loads(base64.urlsafe_b64decode(parts[1] + "==")) — the "==" padding handles the missing Base64 padding that Base64URL omits. For production code, always use a JWT library (jsonwebtoken for Node.js, PyJWT for Python, jose for browser/edge) that also handles signature verification, claim validation, and algorithm restrictions. Manual decoding without verification is only appropriate for debugging, logging, and inspection tools.