JWT Token Decoder and Inspector

Blog

JWT Token Decoder and Inspector

BlogCheatsheets
Loading...
Loading JWT...

Description

Decode JSON Web Tokens to inspect headers, payloads, and signatures without secret keys. Great for debugging authentication flows.

About JWT Token Decoder and Inspector

The JWT Decoder splits a JSON Web Token into its three parts — header, payload, and signature — and decodes the Base64URL segments so you can read the claims in plain JSON. It runs entirely in your browser and never needs your secret key, because decoding a JWT does not require verifying it. Use it to debug authentication flows, inspect token expiry, and confirm which claims a service issued.

How to use

  1. Paste your JWT (the long xxxxx.yyyyy.zzzzz string) into the input.
  2. The header (algorithm and token type) and payload (claims) are decoded and shown as formatted JSON.
  3. Check standard claims like exp (expiry), iat (issued at), iss (issuer), and sub (subject).
  4. The signature segment is shown but not verified — verification requires the signing key.

Frequently asked questions

Does decoding a JWT require the secret key?

No. The header and payload are only Base64URL-encoded, not encrypted, so anyone can decode and read them. The secret key is only needed to verify the signature, which proves the token wasn't tampered with.

Is it safe to paste a token here?

Decoding happens entirely in your browser — nothing is uploaded. Still, treat real access tokens as secrets and avoid pasting production tokens into any tool you don't control.

Why does my token show as expired?

The exp claim is a Unix timestamp. If it is earlier than the current time, the token has expired and most servers will reject it even though it still decodes fine here.

Can I read an encrypted JWE here?

No. This tool decodes signed JWTs (JWS). Encrypted tokens (JWE) require the decryption key and are not human-readable by decoding alone.