Free JWT Token Decoder Online — Decode, Inspect & Verify JSON Web Tokens
Decode JSON Web Tokens (JWT) instantly to view their header and payload claims securely.
🚀 Help Us Build More AI-Powered Tools
We're working on bringing free AI tools to Bizmatepro — including AI writing, image generation, code helpers, and more. Your support helps us cover server costs and keep 100+ tools completely free, with no ads and no signup.
How to Decode a JWT Token Online
Paste your JWT token — the long string that looks like xxxxx.yyyyy.zzzzz — into the input field above. The tool instantly splits the token into its three parts and decodes the Header and Payload into readable JSON. You can see all claims including the signing algorithm, user ID, expiration time (exp), issued-at time (iat), and any custom data. Optionally, enter your HS256 secret key to verify the signature live in your browser — no server involved.
What is a JWT Token?
A JSON Web Token (JWT) is a compact, URL-safe way to securely transmit information between two parties. It is most commonly used for authentication and authorization in web apps and REST APIs. After a user logs in, the server creates a JWT signed with a secret key and sends it to the client. The client then includes this token in every API request (usually in the Authorization: Bearer header), and the server verifies it. Because JWTs are self-contained, there is no need to query a database on every request — the payload carries everything the server needs to know.
Is It Safe to Paste a JWT Token Here?
Our JWT decoder runs 100% in your browser — your token is decoded using JavaScript's atob() function and the Web Crypto API. Nothing is sent to our servers. That said, treat production JWTs with care: if your token contains sensitive claims (like admin role flags or personal data), avoid pasting it into any online tool unnecessarily. Use this tool primarily for development, debugging, and learning. For signature verification in production, use your backend's JWT library directly.
The 3-Part JWT Structure Explained
Every JWT has three Base64Url-encoded sections joined by dots (.). Each section serves a distinct purpose:
① Header
{
"alg": "HS256",
"typ": "JWT"
}
Declares the signing algorithm (HS256, RS256, ES256) and confirms this is a JWT.
② Payload (Claims)
{
"sub": "user_123",
"role": "admin",
"exp": 1735689600
}
The actual data. Contains standard claims like sub, exp, iat and your custom application data.
③ Signature
HMACSHA256( base64(header) + "." + base64(payload), your_secret )
Proves the token was created by a trusted source and hasn't been tampered with. Requires the server's secret key to validate.
⚠️ Important: The payload is only Base64-encoded — it is not encrypted. Anyone who has the token can decode and read the payload. Never put sensitive secrets (passwords, credit card numbers) in JWT claims.
Standard JWT Registered Claims — Explained
sub
Subject — The entity the token refers to. Usually a user ID like "u_83920". Required by most auth systems.
exp
Expiration — Unix timestamp when the token expires. Our tool shows this as a human-readable date and warns if the token has already expired.
iat
Issued At — When the token was created (Unix timestamp). Useful for calculating the token's age and implementing sliding expiry.
iss
Issuer — The server that created the token, e.g. "auth.yourapp.com". Clients should validate this to prevent cross-service token reuse.
aud
Audience — The recipient of the token. For multi-service architectures, this prevents a token issued for Service A from being accepted by Service B.
nbf
Not Before — Token cannot be used before this timestamp. Useful for issuing tokens that activate in the future (scheduled access).
Frequently Asked Questions
Can this tool verify the JWT signature?
Can I decode expired tokens?
Yes. Decoding a token shows its contents regardless of whether it has expired.