Free Online JWT Decoder & Inspector

About this tool

This free online JWT decoder lets you inspect token header and payload claims instantly, including exp/iat/nbf checks and common structure validation. All decoding runs locally in your browser — no uploads and no server-side processing. Use it to debug authentication flows, verify what your app is actually receiving, and quickly export decoded sections for incident response or logging.

Common use cases

• Inspect header and payload claims during OAuth/OpenID debugging
• Check token expiration (exp), issued-at (iat), and not-before (nbf)
• Confirm issuer (iss), audience (aud), subject (sub), and scopes/roles
• Copy or download decoded sections for troubleshooting and reporting
• Optionally verify HS256/384/512 signatures when you have the shared secret

How it works

JWTs are three base64url-encoded parts: header, payload, and signature. This tool decodes the header and payload by base64url decoding and JSON parsing, then evaluates time-based claims (exp/iat/nbf) against your local clock. Signature verification is optional: when you provide a shared secret for HS* algorithms, the tool computes the expected HMAC and compares it to the token signature — all locally in the browser.

FAQ

Does this JWT decoder upload my token?

No. Decoding and optional verification run locally in your browser.

Does decoding a JWT mean the signature is valid?

No. Decoding only reveals the contents. Signature validity requires verification (HS* verify is available when you provide the secret).

Why do exp/iat/nbf checks show as invalid?

Most issues come from clock skew, tokens being used too early (nbf), or expired tokens (exp). Confirm your system time and token issuance settings.