Introduction
The JWT Decoder shows the header and payload of a JSON Web Token so you can inspect claims like exp, aud, iss, and sub while debugging authentication. Decoding is not signature verification—validating a JWT requires cryptographic checks with keys on your servers. Use this when tokens fail in staging, when comparing issuers across environments, or when checking expiry against your clock. Avoid pasting production tokens on untrusted networks. For creating signed test tokens, use JWT Generator. JWT segments use Base64url-encoded JSON, similar to but not identical to plain Base64.
Explore more in Tools, All Tools, or the Security Tools category.
How to use
- Paste a JWT string (three segments separated by dots).
- Decode header and payload to JSON for inspection.
- Check exp, nbf, aud, iss, and sub against your expectations.
- Remember signature verification requires server-side validation with keys.
- If claims look wrong, trace the issuer configuration and clock skew.
Use cases
- Debug “invalid token” errors by checking expiry and audience
- Compare tokens issued by staging vs production identity providers
- Inspect role claims for authorization bugs
- Educate teammates on JWT structure during onboarding
- Pair with API logs to correlate request failures with claims
FAQ
- Does this verify JWT signatures?
- No. Signature verification is cryptographic and must be done server-side with the correct keys.
- Why does JWT look like Base64?
- Header and payload are Base64url-encoded JSON.
- Is it safe to paste tokens?
- Avoid production secrets. Use tokens with minimal exposure and follow your security policy.
- What if exp looks wrong?
- Check system clocks, time zones, and whether the token is refreshed correctly.
- Can I decode refresh tokens?
- You can decode them technically, but treat refresh tokens as highly sensitive—handle with care.