EN
EncoderKit.cc
All Tools
Categories
Base Encodings URL & Web Encoding Hash Generators Token & Authentication Character Encodings Encryption & Ciphers Number Systems Visual Encodings
Popular Tools
Word Counter Case Converter Diff Checker
Blog
— JWT Decoder

Free JWT Token Decoder

Quick Tips

  • This tool runs entirely in your browser - your data stays private.
  • Press Ctrl+V (Cmd+V on Mac) to quickly paste text.
  • Use the Copy button to save your result to clipboard.
  • Bookmark this page for quick access!

Decode and inspect JSON Web Tokens (JWT) to view header and payload.

Your Recent Tools

Examples

Input 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output 
Header: {alg: HS256, typ: JWT}
Payload: {sub: '1234567890', name: 'John Doe', iat: 1516239022}

Why Use This Tool?

What problems does this solve?

When debugging authentication issues, you need to inspect JWT contents quickly. This tool decodes tokens to reveal claims, expiration times, and structure without writing code or using browser developer tools.

Common use cases:

  • Debugging authentication failures by checking token claims
  • Verifying token expiration and issued-at timestamps
  • Inspecting user information and permissions in tokens
  • Understanding JWT structure for learning purposes
  • Analyzing tokens during security assessments

Who benefits from this tool?

Frontend and backend developers debugging authentication. Security engineers auditing token contents. Anyone learning about JWT-based authentication.

Privacy first: All decoding happens locally in your browser. Your tokens never leave your device.

Frequently Asked Questions

Yes, JWTs are only signed, not encrypted. The payload is Base64-encoded and readable by anyone. Never put sensitive information (passwords, secrets) in JWT payloads.

This tool decodes the payload for inspection but does not verify signatures. Signature verification requires the secret key or public key, which should never be shared with client-side tools.

The exp (expiration time) claim is a Unix timestamp indicating when the token becomes invalid. If current time exceeds exp, the token is expired and should be rejected.

The three dot-separated parts are: header (algorithm and token type), payload (claims/data), and signature (cryptographic verification). The signature prevents tampering with the header or payload.

HS256 uses a shared secret key for signing and verification (symmetric). RS256 uses a private key for signing and public key for verification (asymmetric). RS256 is better when the verifier should not be able to create tokens.

Yes, all decoding happens locally in your browser. Your JWT is never sent to any server. However, remember that anyone with the token can decode its payload, so never share JWTs publicly.

Related Tools

JWT Encoder

<p>The JWT Encoder creates JSON Web Tokens from your specifi...

OAuth Token Decoder

<p>The OAuth Token Decoder inspects OAuth 2.0 access tokens...

API Key Generator

<p>The API Key Generator creates cryptographically secure ra...

QR Code Decoder

<p>The QR Code Decoder extracts data from QR code images. Up...

Base32 Encoder/Decoder

<p>The Base32 Encoder/Decoder converts data to and from Base...

Base64 Encoder/Decoder

<p>The Base64 Encoder/Decoder is a comprehensive tool for co...