JWT Decoder
Decode and inspect JSON Web Tokens. View header, payload, and signature with color-coded display. Auto-decode on paste. All processing happens in your browser.
How to Decode JWTs
- 1
Paste JWT Token
Paste a JSON Web Token into the input field.
- 2
View Decoded Parts
See the header (algorithm, type), payload (claims), and signature displayed as formatted JSON.
- 3
Check Expiration
Timestamps like exp, iat, and nbf are automatically converted to human-readable dates with expiration status.
- 4
Copy Sections
Copy individual decoded sections to your clipboard.
About JSON Web Tokens
A JSON Web Token (JWT, pronounced 'jot') is a compact, URL-safe token format defined by RFC 7519 for securely transmitting information between parties. JWTs consist of three Base64URL-encoded parts separated by dots: header, payload, and signature. They are the backbone of modern authentication systems including OAuth 2.0, OpenID Connect, and stateless session management.
The header specifies the signing algorithm (HS256, RS256, ES256) and token type. The payload contains claims — standardized statements such as subject (sub), issuer (iss), audience (aud), expiration (exp), and issued-at (iat), plus custom claims like roles and email. The signature cryptographically verifies the token has not been tampered with.
ToolPix's JWT decoder displays all three parts with formatted JSON output, color-coded sections, and automatic timestamp conversion for exp, iat, and nbf claims. It does not verify signatures (which requires the secret key) but is invaluable for debugging authentication flows, inspecting token contents, and checking expiration status.
All decoding happens in your browser — the JWT is never sent to any server. This is critical because JWTs often contain sensitive user information. Whether troubleshooting a 401 error, auditing OAuth tokens, or learning JWT structure, this free online decoder provides instant, private results.
Key Features
Common Use Cases
- •Debug authentication issues by inspecting JWT contents
- •Verify token claims (roles, permissions, user info) during development
- •Check token expiration times when troubleshooting session issues
- •Inspect OAuth/OIDC tokens from identity providers
- •Decode API gateway tokens for debugging request authorization
Frequently Asked Questions
Does this tool verify JWT signatures?
No. Signature verification requires the secret key or public key, which this tool does not have. It decodes the visible parts (header and payload) which are Base64URL-encoded, not encrypted.
Is it safe to paste my JWT here?
Yes. All decoding happens in your browser. The token is never sent to any server. However, JWTs should still be treated as sensitive — avoid sharing them in public channels.
What are common JWT claims?
Common claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration), iat (issued at), nbf (not before), jti (JWT ID), and custom claims like role or email.
Why does my JWT show as expired?
The exp claim is a Unix timestamp indicating when the token expires. If the current time is past this timestamp, the token is expired. Re-authenticate to get a fresh token.
Is this JWT decoder free to use?
Yes. ToolPix's JWT decoder is completely free, requires no registration, and has no usage limits. Decode as many tokens as you need.
Can I decode JWTs on my mobile device?
Yes. The decoder works on all modern mobile browsers. The responsive layout adapts to smaller screens so you can inspect tokens on iOS and Android devices.
What is the difference between HS256 and RS256?
HS256 uses a symmetric shared secret for both signing and verification. RS256 uses an asymmetric key pair — a private key signs the token and a public key verifies it. RS256 is preferred for distributed systems where multiple services need to verify tokens.
Can JWTs be tampered with if they are only Base64-encoded?
The header and payload are Base64URL-encoded (not encrypted), so anyone can read them. However, the signature prevents tampering — modifying the payload invalidates the signature, and without the secret key, a valid new signature cannot be created.