Back to Home

JWT Decoder & Inspector - Decode JWT Tokens Online

Decode JWT tokens online to inspect the header, payload, and signature, plus exp, iat, aud, and iss claims. Private, local JWT decoder for auth debugging.

Paste a JWT and this decoder instantly splits it into header, payload, and signature segments, then renders the decoded JOSE header and payload JSON. It also surfaces RFC 7519 registered claims—iss, sub, aud, exp, iat, nbf, jti, and scope—and flags whether the token is active, expired, or not yet valid. Decoding runs entirely in your browser; tokens are never uploaded.

Decode only, no signature verification

This JWT inspector decodes the token locally so you can examine claims safely. It does not verify whether the signature is authentic, valid, or trusted.

JWT Token

Supports raw JWT strings and tokens copied with a Bearer prefix.

Runs entirely in your browser. This tool decodes tokens for inspection only and does not verify signatures.

Algorithm

Not available

Status

Waiting for token

Signature

Waiting for token

Ready to inspect

Paste a JWT to inspect the decoded header, payload, signature segment, and RFC 7519 time claims in one place.

How to Decode and Inspect a JWT Online

01

Paste your JWT into the input area. Tokens with a Bearer prefix are cleaned automatically.

02

Review the decoded header and payload JSON, then inspect the RFC 7519 claim summary for issuer, audience, timing, and scope.

03

Copy the decoded JSON or signature segment when you need to debug integrations, auth flows, or API requests.

Key Features

Real-time local decoding

Decode JWT header and payload segments instantly without refreshing the page or relying on a backend service.

Built-in RFC 7519 claim inspection

Review RFC 7519 claims such as exp, iat, nbf, iss, sub, aud, and jti alongside token type and algorithm for faster debugging.

Built for auth debugging

Copy the raw token, decoded JSON, or signature segment while investigating auth issues across APIs, SPAs, and mobile clients.

JWT Decoder FAQ

Does this JWT decoder verify signatures?

This page decodes the JWT structure and shows the header, payload, and signature segment. It does not prove that the signature is valid or trusted.

Is this JWT inspector private?

Yes. Decoding happens entirely in your browser, so the token is not uploaded to our servers.

Which JWT claims can I inspect?

You can inspect RFC 7519 registered claims such as iss, sub, aud, exp, nbf, iat, and jti, along with JOSE header fields like alg, typ, and kid plus any custom payload claims.

Paste a JWT and this decoder instantly splits it into header, payload, and signature segments, then renders the decoded JOSE header and payload JSON. It also surfaces RFC 7519 registered claims—iss, sub, aud, exp, iat, nbf, jti, and scope—and flags whether the token is active, expired, or not yet valid. Decoding runs entirely in your browser; tokens are never uploaded.

How to Decode and Inspect a JWT

  1. 1

    Paste your JWT

    Drop a raw JWT string into the input area. Tokens copied with a Bearer prefix are cleaned automatically before decoding.

  2. 2

    Read the decoded segments

    Review the Base64URL-decoded header and payload as formatted JSON, plus the raw signature segment shown separately.

  3. 3

    Inspect the claim summary

    Check RFC 7519 registered claims such as issuer, subject, audience, scope, and JWT ID, along with the active, expired, or not-yet-valid status derived from exp, iat, and nbf.

  4. 4

    Copy what you need

    Use the copy buttons to grab the raw token, decoded header or payload JSON, or signature segment when debugging auth flows and API requests.

References

Related Tools

Frequently Asked Questions

Does this JWT decoder verify signatures?
No. This page decodes the JWT structure and shows the header, payload, and signature segment, but it does not prove that the signature is valid or trusted. Use your server's signing key and a JWS library to verify authenticity.
Is this JWT inspector private?
Yes. Decoding happens entirely in your browser using local JavaScript, so the token is never uploaded to our servers and never leaves your device.
Which JWT claims can I inspect?
You can inspect RFC 7519 registered claims such as iss, sub, aud, exp, nbf, iat, and jti, along with JOSE header fields like alg, typ, and kid, plus any custom payload claims.
How do I know if a JWT is expired?
The inspector reads the exp (expiration) and nbf (not before) claims and shows a status of Active, Expired, or Not valid yet by comparing those Unix timestamps with the current time.
Can I decode a token that includes a Bearer prefix?
Yes. If you paste a token copied as "Bearer eyJ...", the decoder automatically strips the Bearer prefix before parsing the JWT segments.