Copied!
Back
Security Tool

JWT Decoder & Token Inspector

Decode any JSON Web Token (JWT) instantly and inspect its header, payload and claims. This free online JWT decoder parses tokens compliant with RFC 7519, displays registered claims like iss, sub, exp, iat, and highlights token expiration status in real time. Paste an OAuth bearer token, an API access token, or any JWS to view its decoded contents. All processing runs entirely in your browser — your token never leaves your device.

jwt-decoder.tool

How to use the JWT decoder

JWTs are everywhere — OAuth bearer tokens, Auth0/Cognito sessions, signed API requests. The decoder splits a token into its three Base64-URL parts (header, payload, signature) and shows the claims human-readably. Decoding happens entirely in your browser; tokens never leave the page.

Common JWT mistakes to avoid

Frequently Asked Questions

What is the difference between decoding and verifying a JWT?
Decoding a JWT extracts the header and payload by Base64URL-decoding them — no secret key is needed. Verifying checks the cryptographic signature against a secret (HMAC) or public key (RSA/ECDSA) to confirm the token hasn't been tampered with. This tool decodes JWTs for inspection purposes. You should always verify signatures on your server before trusting any claims in production, as defined in RFC 7519.
Is it safe to decode a JWT token online?
It depends on the tool. This JWT decoder runs 100% in your browser using JavaScript — no data is ever sent to any server. Your token stays on your device. Avoid online decoders that submit tokens to backend APIs, because JWTs often contain user IDs, email addresses, roles, and session data that could be logged or intercepted.
Can you decode a JWT without the secret key?
Yes. A JWT consists of three Base64URL-encoded parts: header, payload, and signature. The header and payload are not encrypted — they are simply encoded. Anyone can decode them without any key. The secret key is only needed to verify the signature. This is why you should never store sensitive data like passwords or credit card numbers directly in a JWT payload.
What does the exp claim mean in a JWT?
The exp (expiration time) claim is a registered JWT claim defined in RFC 7519. It specifies a UNIX timestamp (seconds since January 1, 1970 UTC) after which the token must not be accepted. If the current time exceeds the exp value, the token is expired. Servers should always check this claim. Common expiration times range from 15 minutes (access tokens) to 7 days (refresh tokens).
Should I store sensitive data in a JWT payload?
No. JWT payloads are Base64URL-encoded, not encrypted. Anyone who intercepts a JWT can read its full payload. Store only non-sensitive identifiers (user ID, role, permissions) in the payload. For truly confidential data, use JWE (JSON Web Encryption) defined in RFC 7516, or keep the data server-side and reference it via a claim ID.
What are the registered claims in a JWT?
RFC 7519 defines seven registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These are optional but recommended for interoperability. Most OAuth 2.0 and OpenID Connect implementations use these claims.

Related Tools

b64
Base64 Encoder / Decoder
Encode and decode Base64 strings
%
URL Encoder / Decoder
Percent-encode and decode URLs
#
Hash Generator
Generate MD5, SHA-256, SHA-512 hashes