Decode JWT Online - Free, No Sign-Up
Overview
A JWT is three Base64url segments separated by dots: header, payload, and signature. Paste a token copied from Postman, a browser DevTools network tab, or an Authorization header and the decoder splits it into readable JSON in under a second. The signature stays unverified unless you supply the secret, so you can inspect expired or third-party tokens without any credentials.
How to Use This Tool
Paste your JWT into the input field. The header and payload decode immediately. To verify the signature, select the algorithm (HS256, HS384, or HS512) and enter your secret key. A green badge confirms a valid signature; red means the token or secret does not match.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
Is it safe to paste a JWT into an online tool?
Decoding runs entirely in your browser using JavaScript. No token data is sent to any server. That said, avoid pasting production tokens with sensitive claims in shared or public environments.
Why does the payload show an exp timestamp instead of a date?
JWTs store expiry as a Unix epoch integer (seconds since Jan 1, 1970). The decoder converts it to a human-readable date and shows whether the token is still valid or expired.
Which signing algorithms does the verifier support?
The tool supports HMAC algorithms: HS256, HS384, and HS512. RSA (RS256) and ECDSA (ES256) verification requires the public key and is not currently supported.