What is a JWT and why would I need to decode one?

JWT (JSON Web Token) is a compact, URL-safe way to represent claims between parties. You may need to decode a JWT to inspect its payload for debugging, verify its expiration time, or understand which claims it contains — common during development or security audits.

Does this tool validate the JWT signature?

Yes, the tool attempts to validate the signature for common algorithms like HS256 and RS256. It displays whether the signature is valid or not, helping you ensure the token hasn't been tampered with.

Is my JWT data secure when using this decoder?

Yes, 100% secure. All processing occurs entirely in your browser using JavaScript. Your JWT is never sent to our servers, stored, or logged. The tool is completely private.

What algorithms are supported for signature validation?

The tool supports the most common JWT algorithms, including HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, and ES512. It will attempt to validate the signature if the appropriate key is provided or if the algorithm allows verification.

What is the difference between JWT decoding and JWT validation?

Decoding a JWT simply extracts and displays the header and payload without verifying the signature. Validation checks the signature to ensure the token hasn't been altered and that it hasn't expired. Our tool does both — you get the decoded data plus a signature validity indicator.

Are there any limitations to this free JWT decoder?

Free with no account required — decodes any standard JWT instantly in your browser. The header and payload are never sent to any server.

JWT Decoder — Inspect Token Claims & Expiry Free Online

Decode, validate, and inspect JSON Web Tokens (JWT) instantly. View the header, payload, andsignature status. All processing runs locally in your browser with 100% privacy — no signup or upload required.

Quick Answer

How do I check if a JWT is expired or see its claims?

Paste your JWT into the decoder above. It instantly shows the header (algorithm), payload (claims including exp, iat, sub, aud), and whether the token is currently expired based on the exp timestamp. No private key is needed to decode — JWT payloads are Base64URL-encoded JSON, not encrypted.

JWT token

Standard JWT claim reference

issIssuer

Identifies the principal that issued the JWT.

subSubject

Identifies the principal that is the subject of the JWT (usually a user ID).

audAudience

Identifies the recipients that the JWT is intended for.

expExpiration Time

Unix timestamp after which the JWT must not be accepted.

nbfNot Before

Unix timestamp before which the JWT must not be accepted.

iatIssued At

Unix timestamp at which the JWT was issued.

jtiJWT ID

Unique identifier for this token to prevent replay attacks.

nameFull Name

User's full name (OpenID Connect standard claim).

emailEmail

User's email address (OpenID Connect standard claim).

picturePicture URL

URL of the user's profile picture (OpenID Connect standard claim).

roleRole

User role or permission level (application-specific claim).

rolesRoles

Array of user roles (application-specific claim).

scopeScope

OAuth 2.0 scope — the permissions granted by this token.

azpAuthorized Party

Client ID of the application the token was issued to.

sidSession ID

Session identifier; can be used to bind token to a session.

JWT algorithm comparison

Algorithm	Type	Use case	Safe?
HS256	HMAC	HMAC with SHA-256. Symmetric: same secret signs and verifies. Simple but secret must be shared.	Yes
HS384	HMAC	HMAC with SHA-384. Same as HS256 but larger hash. Rarely needed.	Yes
HS512	HMAC	HMAC with SHA-512. Same as HS256 but largest hash.	Yes
RS256	RSA	RSA with SHA-256. Asymmetric: private key signs, public key verifies. Preferred for public APIs.	Yes
RS384	RSA	RSA with SHA-384.	Yes
RS512	RSA	RSA with SHA-512.	Yes
ES256	ECDSA	ECDSA with P-256 and SHA-256. Smaller keys than RSA, same security. Preferred for mobile.	Yes
ES384	ECDSA	ECDSA with P-384 and SHA-384.	Yes
ES512	ECDSA	ECDSA with P-521 and SHA-512.	Yes
none	None	No signature. The token is completely unsigned and unverifiable.	Dangerous
PS256	RSA-PSS	RSASSA-PSS with SHA-256. More secure than RS256, recommended for new systems.	Yes

What the token actually contains

A JWT is three Base64url-encoded chunks separated by dots: a header, a payload, and a signature. The header and payload are readable by anyone — they're not encrypted, just encoded. The signature is what proves authenticity, and it requires the server's secret key to verify.

When an auth bug goes dark — a 401 that shouldn't be happening, a user who can't access a resource they should have permission for — the first step is reading what's actually in the token. I wrote about this in Reading JWT Tokens Without a Library — you can decode any token in 10 seconds with just a browser.

Fields to check when debugging auth

Field	What it means	What to check
exp	Expiry time (Unix timestamp)	Is it in the past? Compare to Date.now() / 1000
iat	Issued at time	Is it suspiciously old or in the future?
iss	Issuer	Does it match the expected auth server?
aud	Audience	Does it include your API/service?
sub	Subject (user ID)	Is it the correct user?
scope / roles	Permissions granted	Does it include the required scope for this endpoint?
alg (header)	Signing algorithm	Is it RS256 or HS256? Never "none"

What this tool does NOT do

Signature verificationThis tool decodes the header and payload — it does not verify the signature. You need the server's public key (for RS256) or shared secret (for HS256) to verify authenticity. Never trust a JWT's claims without verifying the signature on the server.
JWE (encrypted tokens)JWE tokens are encrypted, not just signed. They look like 5-part strings (4 dots). This tool decodes JWS (signed) tokens only — JWE will not decode meaningfully.

The decoder runs entirely in your browser. Your tokens — which may contain user IDs, scopes, and session data — never leave your device.

JWT standard claims — what each field means

The JWT spec (RFC 7519) defines a set of registered claim names. You'll see these in the decoded payload — here's what each one means:

Claim	Full name	Meaning	Type
iss	Issuer	Who issued the token (e.g., "https://auth.example.com")	String
sub	Subject	The user or entity the token is about (e.g., user ID)	String
aud	Audience	Who the token is intended for — your API should verify this matches	String or array
exp	Expiration time	Unix timestamp (seconds) after which the token is invalid	Number
iat	Issued at	Unix timestamp when the token was created	Number
nbf	Not before	Unix timestamp before which the token must not be accepted	Number
jti	JWT ID	Unique identifier for this specific token — used to prevent replay attacks	String
scope / scp	Scope (OAuth 2.0)	Space-separated list of permissions granted to the token	String
roles / groups	Custom (not in RFC)	User roles or group memberships — added by auth providers like Auth0, Okta	Array

Timestamps (exp, iat, nbf) are Unix epoch seconds — divide by 1000 to convert to JavaScript Date milliseconds, or paste into a Unix timestamp converter.

Video demo