JWT Decoder Online - Decode JSON Web Tokens Instantly, Free

A JWT decoder online lets you inspect the contents of any JSON Web Token in seconds - seeing the header algorithm, payload claims, and expiration time - without installing anything.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. JWTs are the dominant authentication mechanism in modern web applications, mobile apps, and APIs. You will encounter them as:

• Bearer tokens in Authorization headers
• Tokens stored in localStorage or cookies
• ID tokens from OAuth providers (Google, Auth0, Okta)
• Session tokens from AWS Cognito, Firebase, or Supabase

A JWT consists of three Base64URL-encoded parts separated by dots:

header.payload.signature

The header declares the algorithm. The payload contains the claims (user ID, roles, expiry). The signature is a cryptographic proof that the token was issued by a trusted party.

How to Use the JWT Decoder

1. Open the JWT Decoder on UtilWave.
2. Paste the JWT string (the full xxxxx.yyyyy.zzzzz token).
3. The tool splits and decodes the header and payload instantly.
4. The expiry (exp) claim is parsed and shown as a human-readable date.
5. The tool indicates whether the token is currently valid or expired based on the current time.
6. Decoding is entirely local - your token is never sent anywhere.

What You Can Learn from a Decoded JWT

From the header:

• alg - the signing algorithm (e.g., HS256, RS256, ES256)
• typ - always JWT
• kid - key ID, if the issuer uses multiple keys

From the payload:

• sub - subject (usually the user ID)
• iss - issuer (the service that created the token)
• aud - audience (the intended recipient)
• exp - expiration time (Unix timestamp)
• iat - issued at time
• Custom claims: roles, permissions, email, etc.

Important: Decoding is Not Verification

Decoding a JWT only reads the Base64URL-encoded content - it does not verify the cryptographic signature. Anyone can decode a JWT. Never trust a JWT's claims without server-side verification using the correct secret or public key.

This tool is for debugging and inspecting tokens you already have, not for building authentication systems.

FAQ

Is it safe to paste my JWT here? Decoding runs entirely in your browser with no server communication. However, as a best practice, avoid pasting production tokens from live user sessions. Use test or development tokens for debugging.

What is the difference between HS256 and RS256? HS256 uses a shared secret (symmetric). RS256 uses a public/private key pair (asymmetric). RS256 tokens can be verified by anyone with the public key, which is why it is preferred for distributed systems.

Can I see the signature? The signature section is shown but not verified - verification requires the secret or public key, which the tool does not have.

What does exp mean and how is it formatted? exp is a Unix timestamp (seconds since January 1, 1970 UTC). The decoder converts it to a readable date for you.

Inspect any token instantly with the free JWT Decoder.