How to Decode and Inspect a JWT (JSON Web Token)
Free, step-by-step guide. No signup needed — everything runs in your browser.
1
Open the JWT Decoder
Navigate to the tool. No signup, no logs.
2
Paste your JWT
Drop in any JWT — typically a long base64url string with two dots like xxxxxx.yyyyyy.zzzzzz.
3
Read the decoded header and payload
The header (algorithm, key ID) and payload (claims like sub, iat, exp) appear as readable JSON.
4
Check expiration and timestamps
Standard claims (exp, iat, nbf) are shown as readable dates with how long ago or until — catch expired tokens at a glance.
Tips for best results
- JWTs have three parts: header.payload.signature — separated by dots, all base64url-encoded.
- exp is the expiration time in seconds since 1970. iat is when the token was issued. nbf is "not before" — the earliest time it is valid.
- The signature cannot be verified without the signing key — this decoder shows you the contents only. Never trust a JWT’s claims without verifying the signature server-side.
- If your payload has nested JSON inside a claim (like permissions), it displays as a string — paste the inner JSON into the JSON Formatter tool to pretty-print it.
- For Authorization headers, paste just the part after "Bearer " — the decoder handles whitespace and prefixes leniently.