JWT Decoder & Inspector - Decode JWT Tokens Online
Decode JWT tokens online to inspect the header, payload, and signature, plus exp, iat, aud, and iss claims. Private, local JWT decoder for auth debugging.
Paste a JWT and this decoder instantly splits it into header, payload, and signature segments, then renders the decoded JOSE header and payload JSON. It also surfaces RFC 7519 registered claims—iss, sub, aud, exp, iat, nbf, jti, and scope—and flags whether the token is active, expired, or not yet valid. Decoding runs entirely in your browser; tokens are never uploaded.
Decode only, no signature verification
This JWT inspector decodes the token locally so you can examine claims safely. It does not verify whether the signature is authentic, valid, or trusted.
JWT Token
Supports raw JWT strings and tokens copied with a Bearer prefix.
Runs entirely in your browser. This tool decodes tokens for inspection only and does not verify signatures.
Algorithm
Not available
Status
Waiting for token
Signature
Waiting for token
Ready to inspect
Paste a JWT to inspect the decoded header, payload, signature segment, and RFC 7519 time claims in one place.
How to Decode and Inspect a JWT Online
Paste your JWT into the input area. Tokens with a Bearer prefix are cleaned automatically.
Review the decoded header and payload JSON, then inspect the RFC 7519 claim summary for issuer, audience, timing, and scope.
Copy the decoded JSON or signature segment when you need to debug integrations, auth flows, or API requests.
Key Features
Real-time local decoding
Decode JWT header and payload segments instantly without refreshing the page or relying on a backend service.
Built-in RFC 7519 claim inspection
Review RFC 7519 claims such as exp, iat, nbf, iss, sub, aud, and jti alongside token type and algorithm for faster debugging.
Built for auth debugging
Copy the raw token, decoded JSON, or signature segment while investigating auth issues across APIs, SPAs, and mobile clients.
JWT Decoder FAQ
Does this JWT decoder verify signatures?
This page decodes the JWT structure and shows the header, payload, and signature segment. It does not prove that the signature is valid or trusted.
Is this JWT inspector private?
Yes. Decoding happens entirely in your browser, so the token is not uploaded to our servers.
Which JWT claims can I inspect?
You can inspect RFC 7519 registered claims such as iss, sub, aud, exp, nbf, iat, and jti, along with JOSE header fields like alg, typ, and kid plus any custom payload claims.
Paste a JWT and this decoder instantly splits it into header, payload, and signature segments, then renders the decoded JOSE header and payload JSON. It also surfaces RFC 7519 registered claims—iss, sub, aud, exp, iat, nbf, jti, and scope—and flags whether the token is active, expired, or not yet valid. Decoding runs entirely in your browser; tokens are never uploaded.
How to Decode and Inspect a JWT
- 1
Paste your JWT
Drop a raw JWT string into the input area. Tokens copied with a Bearer prefix are cleaned automatically before decoding.
- 2
Read the decoded segments
Review the Base64URL-decoded header and payload as formatted JSON, plus the raw signature segment shown separately.
- 3
Inspect the claim summary
Check RFC 7519 registered claims such as issuer, subject, audience, scope, and JWT ID, along with the active, expired, or not-yet-valid status derived from exp, iat, and nbf.
- 4
Copy what you need
Use the copy buttons to grab the raw token, decoded header or payload JSON, or signature segment when debugging auth flows and API requests.
References
- RFC 7519 — JSON Web Token (JWT)
The IETF specification defining JWT structure and the registered claims (iss, sub, aud, exp, nbf, iat, jti) this tool inspects.
- RFC 7515 — JSON Web Signature (JWS)
The IETF specification for the JWS compact serialization and JOSE header fields like alg and typ found in the decoded header.
Related Tools
Base64 Encode / Decode
Decode the Base64URL segments of a JWT or encode arbitrary data by hand.
Hash Generator
Compute SHA-256 and other hashes used in HMAC-signed JWT signatures.
Timestamp Converter
Convert exp, iat, and nbf Unix timestamps into human-readable dates.
JSON Formatter
Beautify and validate the decoded header and payload JSON.
Frequently Asked Questions
- Does this JWT decoder verify signatures?
- No. This page decodes the JWT structure and shows the header, payload, and signature segment, but it does not prove that the signature is valid or trusted. Use your server's signing key and a JWS library to verify authenticity.
- Is this JWT inspector private?
- Yes. Decoding happens entirely in your browser using local JavaScript, so the token is never uploaded to our servers and never leaves your device.
- Which JWT claims can I inspect?
- You can inspect RFC 7519 registered claims such as iss, sub, aud, exp, nbf, iat, and jti, along with JOSE header fields like alg, typ, and kid, plus any custom payload claims.
- How do I know if a JWT is expired?
- The inspector reads the exp (expiration) and nbf (not before) claims and shows a status of Active, Expired, or Not valid yet by comparing those Unix timestamps with the current time.
- Can I decode a token that includes a Bearer prefix?
- Yes. If you paste a token copied as "Bearer eyJ...", the decoder automatically strips the Bearer prefix before parsing the JWT segments.