About JWT Decoder — Inspect Token Payload Without Sending to Server
Debugging authentication means inspecting JWT claims — but splitting the token on dots, Base64URL-decoding each segment, and formatting the resulting JSON is tedious and error-prone. This decoder separates the three segments automatically, decodes the header and payload into formatted JSON with syntax highlighting, converts Unix timestamp claims (exp, iat, nbf) to human-readable dates, and checks whether the token has expired. It also reveals the signing algorithm from the header so you can audit for weak configurations like alg: none.
How to Use This Tool
Follow these simple steps to get accurate results in seconds. The whole process takes less than a minute for most inputs.
- 1
Copy Your JWT
Copy the full JWT string from your browser's Network tab, localStorage, or cookie value. It should look like eyJhbGciOi..xNjQ2NzY4MDB9.SflKx..
- 2
Paste the Token
Paste the complete JWT into the input field. The decoder automatically separates the three segments.
- 3
Review the Header
Check the decoded header for the token type (typ) and signing algorithm (alg). Verify that strong algorithms like RS256 are used.
- 4
Inspect the Payload
Review the decoded claims including user ID, roles, expiration, and issuer. Timestamps are shown in human-readable format alongside the raw values.
- 5
Check Expiration
Verify whether the token is still valid by checking the expiration indicator next to the exp claim.
How It Works
The technical details of how this tool processes your input and produces accurate results.
Segment Splitting and Base64URL Decoding
The decoder splits the JWT on the dot separator into its three segments: header, payload, and signature. Each of the first two segments is decoded from Base64URL encoding (which uses - and _ instead of + and /, and omits = padding) back to UTF-8 text using the browser's atob() function after normalizing the encoding to standard Base64.
JSON Parsing and Timestamp Conversion
The decoded header and payload strings are parsed as JSON. Standard timestamp claims — exp (expiration), iat (issued at), nbf (not before) — are identified by key name and converted from Unix epoch seconds to human-readable date strings using the browser's Intl.DateTimeFormat API, displayed alongside the raw numeric values.
Expiration Check and Algorithm Inspection
The exp claim value is compared against the current time to determine whether the token has expired, with the result displayed as a clear valid/expired indicator. The alg field from the header is extracted and checked against a list of known-weak algorithms, with warnings displayed for configurations like 'none' or 'HS256' with short secrets.
Key Features
Built to handle real workflows quickly and accurately. Each feature solves a specific problem you'd otherwise need multiple tools or manual steps to address.
Instant Header & Payload Decoding
Base64URL-decodes both the header and payload segments of any JWT into formatted, syntax-highlighted JSON.
Timestamp Conversion
Standard JWT timestamp claims (exp, iat, nbf) are automatically converted from Unix epoch to human-readable date and time strings.
Expiration Check
Compares the exp claim against the current time and clearly indicates whether the token is still valid or has expired.
Algorithm Inspection
The decoded header reveals the signing algorithm (alg) and token type (typ), helping you verify that strong algorithms are used and flagging weak configurations like alg: none.
Benefits of Using JWT Decoder — Inspect Token Payload Without Sending to Server
Why this tool matters and how it improves your daily work.
Timestamp Conversion Saves Mental Arithmetic
An exp claim of 1709251200 tells you nothing at a glance. The decoder converts it to 'March 1, 2024 00:00 UTC — EXPIRED' so you immediately know the token state without opening a separate epoch converter.
Algorithm Header Audit Catches Misconfigurations
The alg: none attack bypasses signature verification entirely by setting the algorithm header to 'none'. The decoder surfaces the algorithm prominently and flags weak configurations so you can catch this vulnerability during security audits.
No Manual Base64URL Decoding Steps
Decoding a JWT by hand requires splitting on dots, replacing - with + and _ with /, adding padding, running atob(), and parsing JSON — for each segment. This tool does all three steps for both segments in one paste.
Expiration Status at a Glance
Instead of copying the exp value to a separate epoch converter and comparing it to the current time, the decoder shows the expiration date and a clear valid/expired indicator directly alongside the decoded claims.
Common Use Cases
Real scenarios where this tool saves time and produces better results than manual methods.
Debug Authentication Failures
A user reports they cannot access a protected endpoint. Decode their JWT to find the exp claim shows it expired 20 minutes ago — the issue is token expiration, not permissions. No need to add logging to the backend.
Security Audit Token Claims
Examine JWT claims to verify that tokens do not contain overly broad permission scopes, that the alg header is not set to 'none', and that the exp claim is set to a reasonable duration like 15 minutes rather than 24 hours.
Verify Correct Claims Are Issued After Login
After implementing a new role-based access control system, decode the JWT issued after login to confirm the roles claim contains the expected values and the sub claim matches the correct user ID.
Client-Side Access Control Decisions
Decode tokens stored in localStorage or cookies to check the current user's permissions and session expiry before making API calls, enabling client-side routing and access control decisions without additional network requests.
Who Uses This Tool
Backend Developers
inspecting JWT tokens during authentication debugging to verify that the correct user ID, roles, and scopes are being issued after login and that expiration timestamps align with their session configuration
Security Auditors
examining JWT claims to verify that tokens do not contain overly broad permissions, that algorithm restrictions are properly set in the header, and that sensitive data is not being exposed in the payload
Frontend Developers
decoding tokens stored in localStorage or cookies to check the current user's permissions and session expiry before making API calls, enabling client-side access control decisions
Pro Tips
Practical advice to get the most out of this tool, based on how experienced users actually work with it.
Check the alg field in the decoded header to ensure it is set to a strong algorithm like RS256 or ES256. Tokens with alg set to none or HS256 with a weak secret are vulnerable to forgery attacks.
Use the decoded exp claim to determine how long a token remains valid. If tokens expire too quickly, users experience frequent re-authentication. If they last too long, the risk window for stolen tokens increases. Most applications use 15-minute access tokens with refresh tokens for longer sessions.
Never paste JWTs containing highly sensitive data into the decoder on a shared or public computer. Although the tool processes everything locally, browser history and clipboard managers may retain the token contents.
Frequently Asked Questions
Quick answers to the most common questions about this tool. If your question isn't here, contact our support team.