A JSON Web Token (JWT, pronounced 'jot') is a compact, URL-safe format for representing claims — assertions about a subject (typically a user) — as a JSON object. JWTs are used primarily for authentication and authorization in web applications and APIs. After a user logs in, the server issues a JWT that the client stores and sends with subsequent requests. The server verifies the JWT signature to authenticate the request without needing to look up a session in a database. JWTs are the foundation of OAuth 2.0 bearer tokens and OpenID Connect identity tokens.

JWT claims are the fields in the payload section. Standard (registered) claims include: iss (issuer — who issued the token), sub (subject — who the token is about, typically a user ID), aud (audience — who the token is intended for), exp (expiration time — Unix timestamp after which the token is invalid), nbf (not before — Unix timestamp before which the token is not valid), iat (issued at — Unix timestamp when the token was created), and jti (JWT ID — unique identifier for the token). Private claims are application-specific fields added by the token issuer (like email, role, or userId).

JWT Decoder & Inspector – Free Online Tool

What is a JWT Decoder & Inspector?

A JWT decoder parses and displays the contents of JSON Web Tokens (JWTs) in a human-readable format, allowing developers to inspect authentication tokens, debug API authorization issues, and verify token claims without needing a private key or secret. JWTs are the standard authentication token format used by OAuth 2.0, OpenID Connect, and countless REST APIs. A JWT consists of three Base64url-encoded sections separated by dots: the header (containing the algorithm and token type), the payload (containing the claims — data assertions about the user or session), and the signature (used to verify the token was not tampered with). The header and payload sections can be decoded and read by anyone with the token — they are not encrypted, only encoded. The JWT Decoder decodes all three sections, displays the header and payload as formatted JSON, calculates the time remaining until the token expires (from the exp claim), and shows the issued-at time (iat claim) in human-readable form. Note that signature verification requires the server's secret key and is not performed client-side.

How to Use JWT Decoder & Inspector

Paste your JWT token — the full three-part token including both dot separators — into the input field.
Click 'Sample' to load an example JWT and see all three decoded sections.
Click ⚡ Decode or press Ctrl+Enter to parse the token and display its contents.
Review the decoded header (algorithm, token type) and payload (all claims) in formatted JSON.
Check the expiry information — the tool shows whether the token is still valid and how much time remains.
Use the decoded claims to debug authentication issues in your application or API integration.

Frequently Asked Questions

What is a JWT?+

What are the three parts of a JWT?+

What are JWT claims?+

Can the JWT Decoder verify the signature?+

Is it safe to paste a JWT into a decoder tool?+

Why is the payload not encrypted?+

What does it mean when a JWT is expired?+

What is the difference between JWT and session cookies?+

Can I decode a JWT without the secret?+

Is my JWT private when I use this tool?+

JWT Decoder & Inspector

JWT Decoder

What is a JWT Decoder & Inspector?

How to Use JWT Decoder & Inspector

Frequently Asked Questions

Related Tools