JWT Decoder & Debugger

Decode, verify, and debug JSON Web Tokens without secrets

Open Tool
100% Private Instant Free

JSON Web Tokens (JWTs) are the standard for modern web authentication. However, they are unreadable Base64 strings by default. Our JWT Decoder allows you to instantly decode and read the contents (header and payload) of any JWT, making it easy to debug expiration times, user roles, and permissions.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: a Header, a Payload, and a Signature.

Why Decode JWTs?

  • Verify if a token is expired (`exp` claim)
  • Check user permissions and scopes (`scope` or `roles` claims)
  • Debug "401 Unauthorized" errors in your application
  • Inspect the algorithm used (`alg` header)
  • Readable date formatting: Instantly see "exp" as a human date
  • 100% Private: We do not send your sensitive tokens to any backend

How to Debug a Token

1

Paste Token

Copy your JWT string (usually starting with eyJ...) from your console or cookies.

2

Auto-Decode

The tool instantly parses the three sections.

3

Inspect Payload

Read the claims, user ID, and expiration date.

4

Check Header

Verify the signing algorithm (e.g., HS256, RS256).

Key Features

Color-Coded Parts

Visually distinguish Header, Payload, and Signature.

Date Parsing

Automatically converts numeric timestamps (`iat`, `exp`) into readable dates.

JSON Formatting

Pretty-prints the payload for easy reading.

Privacy Safe

Decoding logic runs entirely in your browser.

Validation Warning

Alerts you if the token format is invalid.

Best Practices

  • Never paste real production tokens into untrusted public websites (ours is safe, but be careful)
  • Check the `exp` (expiration) claim first when debugging login issues
  • Ensure the `iss` (issuer) and `aud` (audience) match your expectations
  • Remember: Decoding is NOT verifying. You need the private key to verify the signature.

Common Use Cases

Frontend Dev

Checking if the logged-in user is an Admin or User.

API Testing

Verifying that your backend is issuing generic tokens correctly.

Security Audits

Ensuring tokens do not contain sensitive PII.

Expiration Checks

Seeing exactly when a session will timeout.

Frequently Asked Questions

Can I verify the signature here?

No. To verify integrity, you need the secret key. We only decode the readable parts.

Is it secure?

Yes. Your token never leaves your browser window.

What implies an expired token?

If the `exp` timestamp is in the past compared to current time.

Does it work with encrypted JWTs?

No, JWEs (Encrypted JWTs) cannot be decoded without a key.

Ready to Get Started?

100% browser-based. Your data never leaves your device.

Open JWT Decoder & Debugger
Open JWT Decoder & Debugger
JWT Decoder Online - Inspect & Debug JSON Web Tokens | DataFormatHub