Free JWT Decoder - Decode & Verify JSON Web Tokens
Decode and inspect JWT (JSON Web Token) tokens online for free. View the header, payload, and signature components instantly—essential for API developers, authentication debugging, and security analysis. No signup required.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for:
- Authentication - Prove user identity
- Authorization - Grant access to resources
- Information exchange - Securely share claims
A JWT consists of three parts separated by dots:
header.payload.signature
How to Use
- Paste your JWT - Enter the complete token
- Click "Decode" - Parse the token components
- View header - See algorithm and type
- View payload - Inspect claims and data
- Check signature - Verify (with secret key)
Key Features
- Instant decoding - Parse JWTs in real-time
- Header/Payload display - Formatted JSON view
- Claim interpretation - Readable timestamps
- Expiration check - Highlight expired tokens
- Signature info - Show algorithm used
- Privacy-focused - All processing in browser
JWT Structure Explained
Header
Contains metadata about the token:
{
"alg": "HS256",
"typ": "JWT"
}
- alg: Signing algorithm (HS256, RS256, etc.)
- typ: Token type (usually "JWT")
Payload (Claims)
Contains the data/claims:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1516242622
}
Common Claims
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Who created the token |
| sub | Subject | Who the token is about |
| aud | Audience | Who should accept the token |
| exp | Expiration | When token expires (Unix time) |
| nbf | Not Before | When token becomes valid |
| iat | Issued At | When token was created |
| jti | JWT ID | Unique token identifier |
Signature
Verifies the token hasn't been tampered with:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)
Use Cases
Development & Debugging
- Auth troubleshooting - See what's in your token
- Claims verification - Check correct data is included
- Expiration debugging - Find timing issues
- Token format validation - Verify structure
- API testing - Inspect received tokens
Security Analysis
- Token inspection - Review token contents
- Algorithm verification - Check signing method
- Claim review - Audit permissions granted
- Expiration monitoring - Check token lifetime
- Vulnerability research - Analyze token security
Learning & Education
- Understanding JWTs - See structure in practice
- Auth flow learning - Trace authentication
- Claims exploration - Learn standard claims
- Security training - Demonstrate JWT concepts
Common JWT Algorithms
| Algorithm | Type | Security | Use Case |
|---|---|---|---|
| HS256 | Symmetric | Good | Single-party apps |
| HS384 | Symmetric | Better | Higher security |
| HS512 | Symmetric | Best | Maximum security |
| RS256 | Asymmetric | Good | Distributed systems |
| RS384 | Asymmetric | Better | Higher security |
| RS512 | Asymmetric | Best | Maximum security |
| ES256 | ECDSA | Excellent | Modern applications |
JWT Security Best Practices
DO:
- ✅ Use HTTPS for transmitting JWTs
- ✅ Set short expiration times
- ✅ Validate all claims server-side
- ✅ Use strong secrets for HMAC
- ✅ Keep sensitive data out of payload
DON'T:
- ❌ Store sensitive data in JWT payload
- ❌ Use the "none" algorithm in production
- ❌ Accept tokens from untrusted sources
- ❌ Skip signature verification
- ❌ Use weak or predictable secrets
Understanding Token Expiration
JWT times are Unix timestamps (seconds since Jan 1, 1970):
| Claim | Meaning | Example Value |
|---|---|---|
| iat | Created at | 1609459200 |
| exp | Expires at | 1609462800 |
| nbf | Valid after | 1609459200 |
Our decoder converts these to human-readable dates and highlights if the token is expired.
Frequently Asked Questions
Can I decode any JWT without a secret key?
Yes! The header and payload are only Base64URL encoded, not encrypted. Anyone can read them. The signature requires the secret key to verify, but not to view the token contents.
Is my token secure if anyone can decode it?
JWTs are signed, not encrypted. The signature proves the token hasn't been modified. Don't put sensitive data in the payload—use encrypted JWTs (JWE) if you need secrecy.
What does "alg: none" mean?
The "none" algorithm means no signature verification. This is a severe security vulnerability if accepted by your server. Never accept unsigned JWTs in production.
Why is my token not decoding?
Common issues:
- Missing or extra characters
- Line breaks in the token
- Incomplete copy/paste
- Invalid Base64URL encoding
How long should JWTs be valid?
Access tokens: 5-15 minutes Refresh tokens: 7-30 days The shorter the better for security.
Can I edit a JWT?
You can change the payload, but without the secret key, you can't create a valid signature. The modified token will fail verification.