CiphersOnline
Encryption Online
Encoding
JWT Decoder

JWT Decoder Online

Decode and inspect JWT and Bearer tokens directly in your browser. View header, payload, claims, expiration time, and token structure for auth debugging, OAuth flows, and API integration.

Input
0 chars · 0 bytes
Try:
Result
✓ Decode token without signature verification ✓ View header and payload ✓ No key required to read the content ✓ Client-side processing only
Examples
Decode a basic JWT
Input eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output Header: {"alg":"HS256","typ":"JWT"} Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}

Inspect the JWT header and payload without verifying the signature.

Decode a Bearer token
Input Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcGkuZXhhbXBsZS5jb20iLCJhdWQiOiJteS1hcHAiLCJzY29wZSI6InJlYWQ6dXNlcnMiLCJleHAiOjE5MjQ5OTIwMDB9.signature
Output Payload: {"iss":"api.example.com","aud":"my-app","scope":"read:users","exp":1924992000}

Bearer prefixes are common in Authorization headers and can be stripped before JWT inspection.

Inspect expiration claim
Input eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzQyIiwiZXhwIjoxOTI0OTkyMDAwLCJpYXQiOjE3MTcyMDAwMDAsInJvbGUiOiJhZG1pbiJ9.signature
Output Payload includes exp, iat, sub, and role claims for debugging token lifetime and permissions.

JWT claims such as exp and iat are Unix timestamps and are useful when debugging expired or not-yet-valid tokens.

Create a JWT payload
Input {"sub":"user_42","role":"admin","exp":1924992000}
Output eyJzdWIiOiJ1c2VyXzQyIiwicm9sZSI6ImFkbWluIiwiZXhwIjoxOTI0OTkyMDAwfQ

Encode a JSON payload into a Base64URL JWT payload segment. Useful for understanding how JWT claims are represented before signing.

How JWT Decoder Works

A JSON Web Token (JWT) usually has three parts: Header, Payload, and Signature. These parts are separated by dots and are encoded with Base64URL.

This decoder reads the token, decodes the header and payload, and displays the JSON data in a readable form. This helps inspect claims such as issuer, subject, audience, issued-at time, expiration time, scopes, roles, and custom application fields.

Signature verification is not performed by this decoder. Decoding shows what is inside the token, but it does not prove that the token is valid, trusted, or untampered.

JWT, Base64URL, and Security

JWT header and payload sections are encoded, not encrypted. Anyone who has the token can decode these parts and read their contents. For this reason, sensitive secrets should not be placed in a JWT payload unless the token is encrypted using a separate mechanism.

The signature section is used to detect tampering. A server can verify the signature with a secret key or public/private key pair, depending on the algorithm. This tool is intended for inspection and debugging, not for cryptographic validation.

Common JWT Debugging Use Cases

JWT decoding is commonly used when debugging authentication, OAuth, OpenID Connect, API authorization, access tokens, refresh tokens, and Bearer tokens from Authorization headers.

Developers often inspect JWTs to check expiration timestamps, token issuer, audience, scopes, roles, permissions, user identifiers, and unexpected claim values during login or API integration issues.

JWT Decode vs JWT Verify

Decoding a JWT only makes the header and payload readable. It does not check whether the token is valid, expired, trusted, or correctly signed.

Verifying a JWT requires checking the signature, algorithm, issuer, audience, expiration time, and other validation rules used by your application. This decoder helps inspect token contents, while full validation must be performed by your authentication system.

FAQ

JWT (JSON Web Token) is a compact, self-contained token format used for authentication and secure data exchange. It is widely used in OAuth, OpenID Connect, and as a Bearer token in Authorization headers.

No. This tool only decodes and inspects token structure — header, payload, and claims. Signature verification and token validation are not performed.

Yes. Decoding simply converts Base64URL data into readable JSON.

Yes. Expired tokens can still be decoded and inspected — useful for auth debugging and investigating access token issues.

No. All decoding happens locally in your browser. Your tokens never leave your device.

JWT payloads are encoded with Base64URL, not encrypted. They are designed to be readable — confidentiality is provided by transport (HTTPS), not encoding.

The signature lets the server verify the token was not tampered with. It is computed from the header and payload using a secret key or private key (RS256, HS256, etc.).

Usually no. A standard JWT is encoded and signed, not encrypted. The header and payload can be decoded by anyone who has the token.

The exp claim stores the token expiration time as a Unix timestamp. After this time, the token should no longer be accepted by the server.

A Bearer token is a token sent in an HTTP Authorization header. Many Bearer tokens are JWTs, but the term describes how the token is used, not necessarily its format.

No. JWT payloads are usually readable after decoding. Do not place passwords, API keys, private tokens, or other secrets inside a normal JWT payload.
Related tools

Binary Converter Online

Convert text into 8-bit binary groups and decode binary bytes back into readable text.

ASCII Converter

Convert ASCII characters and numeric codes for protocol and parser workflows.

Unicode Converter

Convert text to Unicode escapes and decode Unicode escapes, HTML entities, and multilingual text.

All Encoding and Data Conversion →