JWT Decoder - Free Online JWT Token Inspector

What is a JWT Token?

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They're widely used for authentication and authorization in modern web applications, APIs, and microservices.

JWT Structure

A JWT consists of three parts separated by dots:

Header — specifies the algorithm (HS256, RS256, etc.) and token type
Payload — contains the claims (user data, permissions, expiration)
Signature — verifies the token hasn't been tampered with

Common JWT Claims

sub (Subject) — who the token is about, usually a user ID
iss (Issuer) — who created the token
exp (Expiration) — when the token expires (Unix timestamp)
iat (Issued At) — when the token was created
aud (Audience) — who the token is intended for
nbf (Not Before) — token is not valid before this time
jti (JWT ID) — unique identifier for the token

Security Note

This decoder runs entirely in your browser. Your JWT tokens are never sent to any server. However, remember that JWTs are only encoded, not encrypted — anyone with the token can read its contents. Never store sensitive data directly in JWT payloads.

Frequently Asked Questions

How do I decode a JWT token?

Paste your JWT token (the long string with two dots separating three parts) into the decoder. The tool instantly splits it into header, payload, and signature sections and Base64-decodes each part. You can see the algorithm, token type, expiration date, user claims, and any custom data embedded in the token.

Is it safe to paste a JWT token into an online decoder?

With a client-side decoder like this one, yes — your token never leaves your browser. However, be careful with production JWTs that contain sensitive user data. For maximum safety, use this tool with test tokens or tokens from development environments. Never paste tokens in tools that send data to servers.

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts separated by dots: 1) Header — contains the token type ("JWT") and signing algorithm (RS256, HS256, etc.); 2) Payload — contains claims like user ID, roles, expiration time; 3) Signature — cryptographically verifies the token hasn't been tampered with.

What does JWT expiration mean?

The exp claim in a JWT payload is a Unix timestamp indicating when the token expires. After this time, the server should reject the token and require the user to log in again. Short-lived tokens (15-60 minutes) are more secure. Refresh tokens are used to obtain new access tokens without re-authentication.

What is the difference between JWT and session cookies?

Session cookies store a session ID on the server — the server looks up the session for each request. JWTs are self-contained: all user information is encoded in the token itself, which is verified with a signature. JWTs work well for stateless APIs and microservices; session cookies are simpler for traditional web apps.

JWT Decoder & Inspector

📋 Header

📦 Payload

📊 Claims Analysis