JWT Decoder Online Free — Inspect Token Claims & Expiry
The free JWT Decoder lets you paste any JSON Web Token and instantly see its decoded header, payload, all claims, and whether the token has expired. Everything is processed client-side — your token never leaves your browser.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. In web development, JWTs are most commonly used as authentication tokens — a server issues a JWT after login, and the client sends it with each request as proof of identity. The server verifies the token's signature and reads the claims inside to authorize the request.
A JWT consists of three Base64URL-encoded sections separated by dots:
- Header — algorithm and token type
- Payload — the claims (data)
- Signature — verifies that the token has not been tampered with
Decoding a JWT reveals the header and payload in plain text. The signature can only be verified if you have the server's secret key — the decoder shows the raw signature bytes but cannot validate them without the key.
How to Decode a JWT
- Open the JWT Decoder.
- Paste your JWT into the input field. It typically looks like:
eyJ…header….eyJ…payload….signature - The decoded header and payload appear immediately below.
- Check the Expiry section to see whether the token is still valid, expired, or has no expiry set.
JWT Claims Reference
| Claim | Full Name | Description |
|---|---|---|
iss | Issuer | Who created the token (e.g. your auth server URL) |
sub | Subject | The user or entity the token represents |
aud | Audience | Who the token is intended for |
exp | Expiration | Unix timestamp after which the token is invalid |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Token is invalid before this Unix timestamp |
jti | JWT ID | Unique identifier for the token (prevents replay attacks) |
Common JWT Debugging Scenarios
Token expired — 401 Unauthorized
The most common cause of unexpected 401 errors is an expired JWT. Paste the token into the decoder and check the exp claim. The tool converts the Unix timestamp to a human-readable date and shows whether the token is currently valid. If it has expired, the client needs to refresh or re-authenticate.
Wrong audience or issuer
If your API returns 403 Forbidden even with a valid, unexpired token, the server may be rejecting the token because the aud or iss claim does not match what it expects. Decode the token and compare these values against your API's expected issuer and audience configuration.
Missing claims
Authorization logic often reads custom claims from the payload — roles, permissions, tenant IDs. If a user is unexpectedly denied access, decode their token and confirm the relevant claim is present and has the expected value. This is much faster than adding debug logging and re-deploying.
Algorithm mismatch
The header contains an alg field specifying the signing algorithm — typically HS256, RS256, or ES256. If your server is configured to accept only one algorithm but the token uses another, verification will fail. Decode the header to confirm the algorithm matches your server's expectation.
Security Note: Never Share Tokens Containing Real Credentials
A JWT's payload is Base64-encoded but not encrypted — anyone with the token can decode and read its claims. Avoid pasting production tokens into any online tool, including this one, if the token grants access to real systems. Use test tokens or tokens from a development environment for debugging. This tool processes tokens entirely in your browser and sends nothing to a server, but the security advice applies regardless.
Decode JWTs Free Online
Inspect header, payload, claims, and expiry instantly. No server, no signup.
Open JWT Decoder