DevToolHere

How to Decode JWT Tokens Online

JSON Web Tokens (JWTs) are the backbone of modern authentication. When something goes wrong — expired tokens, wrong claims, algorithm mismatches — you need to quickly inspect the token contents. This guide shows you how to decode and analyze any JWT.

Try JWT Decoder Now

Free, no signup. Works in your browser.

Open Tool
1

Paste the JWT token

Copy the full JWT string (the three dot-separated parts) and paste it into the input field. The tool immediately splits it into header, payload, and signature sections.

2

Inspect the header

The header section shows the signing algorithm (e.g., RS256, HS256) and the token type. Check that the algorithm matches what your server expects to prevent algorithm confusion attacks.

3

Read the payload claims

The payload displays all claims in a formatted JSON view. Standard claims like iss (issuer), sub (subject), exp (expiration), and iat (issued at) are highlighted with human-readable timestamps.

4

Check token expiration

The tool automatically calculates whether the token is expired based on the exp claim and your current time. Expired tokens are flagged with a warning banner showing how long ago they expired.

5

Verify the signature (optional)

For HS256 tokens, you can enter the secret key to verify the signature is valid. For RS256, paste the public key. This confirms the token has not been tampered with.

Pro Tips

  • *Never trust a JWT without verifying its signature server-side — decoding is not the same as validating.
  • *The exp claim is a Unix timestamp in seconds, not milliseconds. Multiplying by 1000 is a common JavaScript bug.
  • *Use short-lived access tokens (5-15 minutes) with refresh tokens for better security.
  • *Check the aud (audience) claim to make sure the token was intended for your application.
  • *JWTs are encoded, not encrypted — anyone can read the payload, so never put secrets in it.

Related Guides

How to Encode and Decode Base64

Quickly encode text or files to Base64 and decode Base64 strings back to plain text. Works entirely in the browser with no server upload.

How to Generate a Strong Password

Generate cryptographically secure passwords with customizable length, character sets, and entropy display. All generation happens locally in your browser.

How to Convert Unix Timestamps

Convert Unix timestamps to human-readable dates and vice versa. Supports seconds, milliseconds, ISO 8601, RFC 2822, and timezone conversions.

Explore all 110+ tools