Encode / Decode

JWT Decoder

Inspect JWT headers and payloads locally.

Runs in your browser
Client-side only. JWTs are decoded in your browser. Tokens are not sent to the server.
Algorithm -
Type -
Expires -
Signature -
Decoded token Ready

About JWT Decoder

JWT Decoder displays token headers and payload claims so you can inspect issuer, audience, expiry, and custom claims while debugging authentication flows.

Common uses

  • Check whether an access token has expired.
  • Inspect scopes or roles returned by an identity provider.
  • Compare header algorithm and key ID values during integration work.

Good to know

Decoding a JWT does not prove it is valid or trusted. Signature verification must happen with the correct key in your application or identity system.

How to inspect a token

Decode the header first to see the algorithm and key ID, then review the payload claims for issuer, audience, subject, scopes, roles, issued time, and expiration.

Security boundary

A decoded JWT is only readable, not trusted. The signature, issuer, audience, clock skew, and key rotation rules must be verified by the identity library or backend that accepts the token.

Common mistakes

Do not paste production tokens into tickets, chat, or screenshots. Even expired tokens can reveal account IDs, tenant names, internal scopes, and application structure.

Before you rely on the output

  • Check whether the source expects a full document, a URL component, bytes, Unicode text, or another encoding boundary before copying the result.
  • Privacy mode: inputs are processed locally in your browser and are not intentionally sent to an application server.

Related tools

Base64, Hex ASCII Converter, HMAC Generator, HTML Entities

An unhandled error has occurred. Reload x