JotTools . All Tools

JWT Decoder

Free online JWT decoder. Paste a JSON Web Token to instantly read its header and payload as clean JSON. Runs in your browser, nothing is uploaded.

What the JWT Decoder does

This tool takes a JSON Web Token and instantly splits it into readable parts so you can see what is actually inside. Paste a token and it shows the decoded header (the algorithm and token type) and the payload (the claims, like subject, issuer, expiry and any custom fields), each formatted as clean, indented JSON. It is handy for backend and frontend developers, QA testers and anyone debugging an auth flow who needs to confirm what a token carries before trusting it.

A quick note on scope: this decoder reads a token, it does not verify the signature. Decoding is not the same as validating, so never treat a decoded payload as proof the token is genuine. Use it to inspect and troubleshoot, not to authenticate.

How to use the JWT Decoder

  1. Copy your JWT from your app, logs, browser storage or an API response.
  2. Paste it into the Input box. A token looks like three base64url chunks joined by dots: header.payload.signature.
  3. The decoded result appears in the Output box right away, with the HEADER block and PAYLOAD block as readable JSON. No button to press.
  4. Click Copy to grab the decoded output for a ticket, a note or a code comment.

If you see an error about an expected header.payload.signature, the token is incomplete or you pasted only part of it. Make sure all three dot-separated sections came along.

Why decode JWTs here

It runs entirely in your browser. The token is decoded with local JavaScript and is never sent anywhere, which matters a lot when tokens can contain personal data or grant access. That means it is private by default, instant, free and needs no sign-up. Output is pretty-printed so timestamps and claims are easy to scan.

Tip: the exp and iat fields are Unix timestamps in seconds. Multiply by 1000 to read them as a normal date in most languages, a fast way to check whether a token has already expired.

Frequently asked questions

Does the JWT decoder verify the token signature?
No. This tool decodes the header and payload so you can read the claims, but it does not verify the signature. Decoding is not validation, so do not treat a decoded payload as proof the token is authentic. Verify the signature on your server with the signing key.
Is my token sent to a server when I decode it?
No. Decoding happens entirely in your browser with local JavaScript. The token never leaves your device, which is important since JWTs can carry personal data or access rights.
Why do I get a 'not a valid JWT' error?
A JWT must have three base64url sections joined by dots: header.payload.signature. If you pasted only part of the token or a malformed string, the decoder cannot find the header and payload. Paste the full token and try again.
How do I read the exp and iat fields in the payload?
They are Unix timestamps measured in seconds. Multiply the value by 1000 to convert it to milliseconds, then format it as a date in your language to check when the token was issued or when it expires.

Related developer tools

JSON Formatter Hash Generator Regex Tester HTML Encode / Decode Markdown Preview Color Converter SQL Formatter Diff Checker

Last updated: June 15, 2026