JWT Decoder

What is the Free JWT Decoder?

The free JWT Decoder lets you instantly inspect the header, payload, and expiry status of any JSON Web Token without writing a single line of code. Paste your JWT into the Token input and the tool decodes the Header (algorithm and type) and Payload (claims, user ID, roles, expiry) from Base64url, then checks the exp and nbf claims and shows whether the token is currently Valid, Expired, or Not Yet Active. No server, no API calls — fully private.

• → Inspect auth tokens from login responses during API development and debugging
• → Check whether a token has expired and read the exact expiry timestamp
• → Read user claims — roles, permissions, user ID, email — from a JWT payload
• → Verify the signing algorithm (HS256, RS256, ES256, etc.) in the token header
• → Debug authentication issues in REST APIs, OAuth 2.0 flows, and SSO integrations

How to Use the Free JWT Decoder

1. 1 Paste your full JWT (the three dot-separated base64url segments) into the Token input field.
2. 2 The tool automatically splits the token and shows the decoded Header and Payload as formatted, readable JSON.
3. 3 Check the status badge — it shows Valid, Expired, or Not Yet Valid based on the exp and nbf timestamp claims compared to the current time.
4. 4 Hover over the Header or Payload section and click the copy button to copy that section's JSON.
5. 5 Note: the Signature section is displayed but not cryptographically verified — signature verification requires the secret key and must be done server-side.

Key Features

• 🔍
  Header & Payload decoded

  Both the header and payload are decoded from Base64url and displayed as formatted, readable JSON.
• ⏱️
  Expiry status check

  Automatically reads exp and nbf claims and shows whether the token is valid, expired, or not yet active.
• 📋
  Copy sections

  Copy the header or payload JSON independently with one click.
• ⚡
  Instant decoding

  The token is decoded as you type — no button press needed.
• 🔒
  Private decoding

  Your JWT is decoded entirely in your browser and never sent to any server.

Example Usage

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.Abc123

Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234", "name": "Alice", "iat": 1516239022 }

Frequently Asked Questions about the Free JWT Decoder

What is the free JWT Decoder?

Decode and inspect JSON Web Token headers and payloads without verification.

Is the JWT Decoder free to use?

Yes, the JWT Decoder is completely free. No account, subscription, or signup is required — ever.

Does my data get uploaded anywhere?

No. The JWT Decoder runs entirely in your browser. Your data is never sent to any server.

Does it work offline?

Yes. Once the page has loaded, the tool works without an internet connection.

Which browsers are supported?

All modern browsers — Chrome, Firefox, Safari, and Edge. No plugins or extensions required.

Does this tool verify the JWT signature?

No. The tool decodes the header and payload (which are Base64url-encoded, not encrypted) but does not verify the cryptographic signature. Signature verification requires the secret or public key, which you should never share with a web tool. Use your server-side JWT library (jsonwebtoken, PyJWT, jose, etc.) to verify signatures.

Is it safe to paste my JWT into this tool?

The tool runs entirely in your browser — your token is never sent to any server. That said, treat production JWTs like passwords. If you're debugging a live token with sensitive user data or admin access, consider revoking or rotating it after you're done.

What does "Not Yet Valid" mean?

A JWT can include an nbf ("not before") claim — a Unix timestamp before which the token should be rejected. If the current time is earlier than nbf, the status shows "Not Yet Valid". This is used to issue tokens that activate at a future date, such as scheduled access grants.

Related Free Developer Utilities