Format

JWT Decoder & Inspector

Decode and inspect JWT tokens instantly. View header, payload, and claims with expiry visualization. Everything runs in your browser — no server calls.

Decode only. This tool decodes the token structure and claims. It does not verify the signature. Never trust claims without server-side signature verification.

Paste any bearer token or start with a sample to inspect claims, expiry, and raw segments without verifying the signature.

Decoded

Paste a JWT token to inspect it

Bearer prefix is stripped automatically

How JWT decoding works

A JWT is three base64url-encoded strings joined by dots: header.payload.signature. Decoding the first two segments is trivial — no keys required. The signature segment is used for server-side verification, not decoding. This tool decodes the header and payload and presents the claims in a readable format.

Common JWT debugging scenarios

Token expired: Check the exp claim. If it's in the past, the token is invalid. The server should return a 401. Your client should detect this and refresh or re-authenticate.

Wrong audience or issuer: APIs that validate aud and iss will reject tokens with mismatched values even if the signature is valid. Confirm these match what the server expects.

Missing claims: If your middleware fails with a claim error but the token looks valid, check whether the token was issued by a service that doesn't include the expected claim — for example, missing sub on an anonymous token.

Related Tools

JSON FormatterFormat

Format, validate, and minify JSON. Instant syntax highlighting with precise error messages.

JSON DiffDiff

Compare two JSON payloads and identify added, removed, and changed fields with a clean visual diff.

Frequently Asked Questions

A JSON Web Token (JWT) is a compact, self-contained token format used to transmit claims between parties. It consists of three base64url-encoded segments: a header (algorithm and token type), a payload (claims), and a signature. They are commonly used for authentication and API authorization.

Decoding extracts and parses the header and payload — anyone can do this without any key. Verifying checks that the signature was created with the expected secret or private key — only parties with the correct key can verify. Never trust claims from a decoded-but-unverified token in security-sensitive code.

The payload is only base64url encoded, not encrypted. This is intentional — JWTs are designed to be readable by the client so it can display claims (like user name, roles) without a server round-trip. The signature prevents tampering, but the payload is visible to anyone who holds the token.

iss (issuer), sub (subject — usually user ID), aud (audience), exp (expiration time in Unix seconds), iat (issued at time), nbf (not before), and jti (unique token ID). Custom claims can be anything your application needs.

The exp claim stores an expiration timestamp as Unix seconds. If this is in the past, the token is expired. Common causes: the server clock is skewed, the token TTL is too short, or you're reusing an old token from development. Check the iat vs exp difference to understand the intended TTL.

This tool runs entirely in your browser — no data is sent to any server. That said, you should still be cautious with production tokens. Prefer using sample or development tokens when debugging.