Can I decode any JWT?

Yes, you can decode the header and payload of any JWT without the secret key. However, verifying the signature requires the secret key used to sign it.

Is decoding a JWT secure?

Decoding only reveals the base64-encoded payload. It does not verify authenticity. Never put sensitive secrets in JWT payloads as they can be decoded by anyone.

What algorithms are supported?

Our decoder supports common JWT algorithms including HS256, HS384, HS512, RS256, RS384, RS512, and ES256. The header shows which algorithm was used.

Developers decode JWTs to debug authentication issues, inspect token expiration, check user claims, and verify correct token structure during development.

JWT Decoder – Decode JWT Online (Free Tool)

Free online JWT Decoder tool to decode and inspect JSON Web Tokens (JWT) instantly. View header, payload, and signature details without needing the secret key. Decode and analyze JWT structure for debugging authentication flows. All decoding happens locally in your browser.

What is JWT Decoder?

JWT Decoder splits a JSON Web Token into its three parts — header, payload, signature — and base64url-decodes the first two so you can read the claims. It is the same view you get from jwt.io, but the token is decoded locally; nothing is uploaded. Use it when you need to confirm the algorithm, inspect the `exp` claim, or just see what your auth provider actually puts in the payload.

Why use this tool?

No telemetry, no tracking pixels, no third-party scripts
Open-and-go: bookmark the page once and never look for an alternative
Instant results — no waiting on a server or upload progress bar
Built for developer workflows: copy-friendly output, syntax-aware highlighting where useful
Works with very large inputs (multi-megabyte JSON, long regex patterns, big tables)

How to use

Paste your input into the jwt decoder area
Configure the options if the defaults don't match your case
Click the action button and inspect the result
Copy the output to your clipboard or download as a file

Examples

Inspect an expiring token

Paste a token and read the `exp` claim. Compare its value (Unix seconds) to the current time to see how long the session has left.

Confirm the signing algorithm

The header shows `alg`. If you expect RS256 but see HS256, your library may be misconfigured — this is a classic JWT vulnerability vector.

Debug claim shape

Login fails because the backend expects `sub` but the IdP issues `user_id`. Decoding the token surfaces the mismatch instantly.

Common use cases

Debugging "401 Unauthorized" errors in API calls
Verifying that an access token contains the expected scopes/roles
Inspecting token expiry before retrying a failed request
Comparing tokens issued by different identity providers
Training and onboarding when explaining how JWTs work

Troubleshooting

"Invalid token" error.: Make sure you pasted exactly three base64url segments separated by dots. Stray quotation marks, leading "Bearer ", or whitespace break the parse.
Payload claims look garbled.: The token uses base64url (not standard base64). Our decoder handles that, but if you decoded by hand elsewhere, substitute "-" with "+" and "_" with "/" and add padding.
I can see the payload — is my token compromised?: Any holder of the token can read its payload; that is by design. Confidentiality comes from how you store and transmit the token, not from JWT itself.

Frequently Asked Questions

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It consists of header, payload, and signature separated by dots.

Try these related tools

JWT Encoder Base64 Decoder JSON Formatter URL Decoder

Explore more Developer Tools

Discover other free, privacy-first tools in Developer Tools.

All Developer Tools Browse all tools