Free JWT Decoder

Paste a JSON Web Token below and click Decode to see its header, payload, and standard claims — including human-readable dates for exp, iat, and nbf, and a clear expired/valid status. Everything runs in your browser; nothing is uploaded.

Note: this tool decodes the token so you can read it — it does not verify the signature. Verification requires the secret or public key. Also, even though nothing leaves your browser, avoid pasting live production tokens that grant real access or contain sensitive user data.

Examples
No result yet — press Decode.

About this JWT Decoder

JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps and APIs. When a login flow misbehaves, the fastest way to debug it is usually to look inside the token itself: which algorithm signed it, who issued it, which user it belongs to, and — most often — whether it has expired. This free JWT Decoder does exactly that. Paste any token and it instantly splits it into its three parts, base64url-decodes the header and payload, pretty-prints both as JSON, and lays out the standard claims in a readable table with human-friendly UTC dates.

The entire tool runs client-side in your browser. There is no API call, no upload, and no storage — the decoding is plain JavaScript operating on the text in the box. That said, treat tokens like passwords: if a token is live and grants access to a production system, prefer decoding a test or expired token instead.

How a JWT is structured

A JWT is three base64url-encoded segments joined by dots: header.payload.signature.

  • Header — metadata about the token, most importantly alg (the signing algorithm, e.g. HS256 or RS256) and typ (usually JWT).
  • Payload — the claims: registered claims like iss, sub, aud, exp, iat, nbf, and jti, plus any custom claims your app adds (roles, email, tenant id, and so on).
  • Signature — an HMAC or digital signature over the first two segments. It proves the token was issued by someone holding the key and has not been tampered with. This tool displays the raw signature but cannot check it without the key.

Understanding the time claims

  • exp (expiration) — the unix timestamp (in seconds) after which the token must be rejected. This tool compares it against your current clock and shows a green "Valid until" or red "Expired" status.
  • iat (issued at) — when the token was created. Useful for spotting tokens with suspiciously long lifetimes.
  • nbf (not before) — the token must not be accepted before this time. Less common, but occasionally the cause of mysterious "invalid token" errors when server clocks drift.

All three are unix timestamps in seconds, not milliseconds — a classic source of bugs when JavaScript's Date.now() (milliseconds) is compared against them directly. If you need to convert timestamps by hand, our Unix Timestamp Converter handles both units.

Decoding is not verification

The most important thing to understand about JWTs: the header and payload are encoded, not encrypted. Base64url is a reversible text encoding — anyone who obtains a token can read every claim inside it, no secret required. What the secret (or private key) protects is the signature, which lets your server confirm the token is genuine and unmodified. Practical consequences:

  • Never store passwords, card numbers, or other secrets in a JWT payload.
  • Never trust claims from a token whose signature you have not verified server-side.
  • Reject tokens whose header declares alg: none or an algorithm your server does not expect — algorithm-confusion attacks rely on servers being too permissive.
  • Keep token lifetimes short and use refresh tokens for long-lived sessions.

Common JWT debugging scenarios

  • 401 errors after login — decode the token and check exp; an expired token is the most common culprit.
  • Wrong user or missing roles — inspect the payload to confirm the claims your backend actually put in the token match what the frontend expects.
  • Audience/issuer mismatches — compare aud and iss against your API's configured values.
  • Clock skew — if a fresh token is rejected as "not yet valid", check nbf and iat against server time.

FAQ: JWT Decoder

Is this JWT Decoder free?
Yes — the JWT Decoder on Dev Brains AI is completely free to use, with no signup required.
Is my token sent to a server?
No. The token is decoded entirely in your browser using JavaScript (base64url decoding). Nothing you paste is uploaded, logged, or stored on our servers.
Does this tool verify the JWT signature?
No. It decodes the header and payload so you can read them, but it does NOT verify the signature. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256), which this tool never asks for. Never treat a decoded token as trusted — always verify signatures on your server.
Is it safe to paste a production token here?
Even though decoding happens locally and nothing leaves your browser, we still discourage pasting production tokens that contain real user data or grant live access. Prefer test tokens, expired tokens, or tokens from a development environment.
Why can anyone decode my JWT without the secret?
The header and payload of a JWT are only base64url-encoded, not encrypted. Encoding is a reversible transformation, so anyone with the token can read its contents. The secret key protects the integrity of the token (via the signature), not its confidentiality — never put sensitive data in a JWT payload.

More developer tools from Dev Brains AI

Working with base64 directly? Try the Base64 Encoder/Decoder, or hash data with the Hash Generator. To go deeper on tokens, read JWT Authentication Explained for Beginners, How to Decode JWT Tokens with Base64 in JavaScript, and JWT vs Session Authentication.