JWT Decoder - Free Online Tool

How This Tool Works

The JWT Decoder decodes JSON Web Tokens (JWTs) to reveal their header, payload, and signature components — without requiring the secret key. A JWT consists of three base64url-encoded sections separated by dots. The header specifies the algorithm (e.g. HS256). The payload contains claims — standard ones like sub (subject/user ID), exp (expiration Unix timestamp), iat (issued-at), and aud (audience). Decoding a JWT shows you these values; verifying a JWT also checks the signature against a secret — this tool does decoding only, which is appropriate for debugging and inspection.

How to Use

Paste the JWT (three dot-separated base64url strings) into field A.
Click Run. The result shows the decoded header (algorithm, token type) and payload (claims, expiry, subject).
Check the exp claim: it is a Unix timestamp. If exp is in the past, the token has expired.
Never decode tokens containing sensitive data in untrusted online tools — use this for development/debugging only.

Common Questions

Is decoding a JWT the same as verifying it?

No. Decoding reads the payload without checking the signature. Anyone can decode a JWT. Verifying checks the HMAC/RSA signature against the secret key, confirming the token was not tampered with. Always verify on the server; decode for inspection only.

What does the exp claim mean?

exp is a Unix timestamp (seconds since Jan 1 1970 UTC) representing when the token expires. If the current time is greater than exp, the token is expired and should be rejected. You can check the expiry by converting exp to a date using a Unix timestamp converter.

Can I use a JWT without a secret key?

The header algorithm 'none' removes signature verification — this is dangerous and should never be accepted by servers. Well-configured servers reject tokens with algorithm: none.

Read the full guide →