About JWT Decoder — Inspect Token Payload Without Sending to Server

Debugging authentication means inspecting JWT claims — but splitting the token on dots, Base64URL-decoding each segment, and formatting the resulting JSON is tedious and error-prone. This decoder separates the three segments automatically, decodes the header and payload into formatted JSON with syntax highlighting, converts Unix timestamp claims (exp, iat, nbf) to human-readable dates, and checks whether the token has expired. It also reveals the signing algorithm from the header so you can audit for weak configurations like alg: none.

How to Use This Tool

Follow these simple steps to get accurate results in seconds. The whole process takes less than a minute for most inputs.

  1. 1

    Copy Your JWT

    Copy the full JWT string from your browser's Network tab, localStorage, or cookie value. It should look like eyJhbGciOi..xNjQ2NzY4MDB9.SflKx..

  2. 2

    Paste the Token

    Paste the complete JWT into the input field. The decoder automatically separates the three segments.

  3. 3

    Review the Header

    Check the decoded header for the token type (typ) and signing algorithm (alg). Verify that strong algorithms like RS256 are used.

  4. 4

    Inspect the Payload

    Review the decoded claims including user ID, roles, expiration, and issuer. Timestamps are shown in human-readable format alongside the raw values.

  5. 5

    Check Expiration

    Verify whether the token is still valid by checking the expiration indicator next to the exp claim.

How It Works

The technical details of how this tool processes your input and produces accurate results.

Segment Splitting and Base64URL Decoding

The decoder splits the JWT on the dot separator into its three segments: header, payload, and signature. Each of the first two segments is decoded from Base64URL encoding (which uses - and _ instead of + and /, and omits = padding) back to UTF-8 text using the browser's atob() function after normalizing the encoding to standard Base64.

JSON Parsing and Timestamp Conversion

The decoded header and payload strings are parsed as JSON. Standard timestamp claims — exp (expiration), iat (issued at), nbf (not before) — are identified by key name and converted from Unix epoch seconds to human-readable date strings using the browser's Intl.DateTimeFormat API, displayed alongside the raw numeric values.

Expiration Check and Algorithm Inspection

The exp claim value is compared against the current time to determine whether the token has expired, with the result displayed as a clear valid/expired indicator. The alg field from the header is extracted and checked against a list of known-weak algorithms, with warnings displayed for configurations like 'none' or 'HS256' with short secrets.

Key Features

Built to handle real workflows quickly and accurately. Each feature solves a specific problem you'd otherwise need multiple tools or manual steps to address.

Instant Header & Payload Decoding

Base64URL-decodes both the header and payload segments of any JWT into formatted, syntax-highlighted JSON.

Timestamp Conversion

Standard JWT timestamp claims (exp, iat, nbf) are automatically converted from Unix epoch to human-readable date and time strings.

Expiration Check

Compares the exp claim against the current time and clearly indicates whether the token is still valid or has expired.

Algorithm Inspection

The decoded header reveals the signing algorithm (alg) and token type (typ), helping you verify that strong algorithms are used and flagging weak configurations like alg: none.

Benefits of Using JWT Decoder — Inspect Token Payload Without Sending to Server

Why this tool matters and how it improves your daily work.

Timestamp Conversion Saves Mental Arithmetic

An exp claim of 1709251200 tells you nothing at a glance. The decoder converts it to 'March 1, 2024 00:00 UTC — EXPIRED' so you immediately know the token state without opening a separate epoch converter.

Algorithm Header Audit Catches Misconfigurations

The alg: none attack bypasses signature verification entirely by setting the algorithm header to 'none'. The decoder surfaces the algorithm prominently and flags weak configurations so you can catch this vulnerability during security audits.

No Manual Base64URL Decoding Steps

Decoding a JWT by hand requires splitting on dots, replacing - with + and _ with /, adding padding, running atob(), and parsing JSON — for each segment. This tool does all three steps for both segments in one paste.

Expiration Status at a Glance

Instead of copying the exp value to a separate epoch converter and comparing it to the current time, the decoder shows the expiration date and a clear valid/expired indicator directly alongside the decoded claims.

Common Use Cases

Real scenarios where this tool saves time and produces better results than manual methods.

Debug Authentication Failures

A user reports they cannot access a protected endpoint. Decode their JWT to find the exp claim shows it expired 20 minutes ago — the issue is token expiration, not permissions. No need to add logging to the backend.

Security Audit Token Claims

Examine JWT claims to verify that tokens do not contain overly broad permission scopes, that the alg header is not set to 'none', and that the exp claim is set to a reasonable duration like 15 minutes rather than 24 hours.

Verify Correct Claims Are Issued After Login

After implementing a new role-based access control system, decode the JWT issued after login to confirm the roles claim contains the expected values and the sub claim matches the correct user ID.

Client-Side Access Control Decisions

Decode tokens stored in localStorage or cookies to check the current user's permissions and session expiry before making API calls, enabling client-side routing and access control decisions without additional network requests.

Who Uses This Tool

Backend Developers

inspecting JWT tokens during authentication debugging to verify that the correct user ID, roles, and scopes are being issued after login and that expiration timestamps align with their session configuration

Security Auditors

examining JWT claims to verify that tokens do not contain overly broad permissions, that algorithm restrictions are properly set in the header, and that sensitive data is not being exposed in the payload

Frontend Developers

decoding tokens stored in localStorage or cookies to check the current user's permissions and session expiry before making API calls, enabling client-side access control decisions

Pro Tips

Practical advice to get the most out of this tool, based on how experienced users actually work with it.

1

Check the alg field in the decoded header to ensure it is set to a strong algorithm like RS256 or ES256. Tokens with alg set to none or HS256 with a weak secret are vulnerable to forgery attacks.

2

Use the decoded exp claim to determine how long a token remains valid. If tokens expire too quickly, users experience frequent re-authentication. If they last too long, the risk window for stolen tokens increases. Most applications use 15-minute access tokens with refresh tokens for longer sessions.

3

Never paste JWTs containing highly sensitive data into the decoder on a shared or public computer. Although the tool processes everything locally, browser history and clipboard managers may retain the token contents.

Frequently Asked Questions

Quick answers to the most common questions about this tool. If your question isn't here, contact our support team.

Does the decoder verify the token signature?
No. The tool decodes the header and payload but does not verify the cryptographic signature. Signature verification requires the secret key or public key, which should never be pasted into a web tool. Use the decoder for inspecting claims, and verify signatures in your server-side code.
What happens if I paste an invalid or malformed JWT?
The decoder validates the token structure and reports an error if the format is incorrect, such as missing segments or non-Base64URL characters. This helps you quickly identify whether a token has been truncated, corrupted, or improperly generated.
Are the timestamps in the payload converted to readable dates?
Yes. Standard JWT timestamp claims like exp (expiration), iat (issued at), and nbf (not before) are automatically converted from Unix epoch seconds into human-readable date and time strings alongside the raw numeric values.
What should I look for when auditing JWT security?
Check the alg header field for weak algorithms like none or HS256 with a short secret. Look for overly broad scopes or roles in the payload, verify that the exp claim is set to a reasonable duration, and ensure no sensitive personal data is stored unencrypted in the payload since anyone with the token can decode it.
Can I decode refresh tokens the same way as access tokens?
Only if the refresh token follows the JWS format. Some OAuth providers use opaque refresh tokens that are random strings with no dot-separated segments — these cannot be decoded as JSON Web Tokens.
Why does my decoded JWT show unexpected characters or errors?
This usually happens when the token has been truncated, corrupted, or includes characters outside the Base64URL alphabet. Make sure you copied the complete token including all three segments separated by dots. Tokens copied from browser dev tools sometimes include extra whitespace or surrounding quotes that need to be removed.
Is this JWT decoder free to use online?
Yes. This JWT decoder is completely free and runs entirely in your browser. No signup required, and no server processing. Your tokens never leave your device.
How do I decode a JWT token step by step?
Copy the full JWT string (three segments separated by dots), paste it into the input field, and the decoder instantly shows the header algorithm, payload claims with human-readable timestamps, and expiration status — no manual Base64URL decoding required.

Share this tool

Spread the word on social media

https://toolmetry.pro/utility/jwt-decoder