JSON Web Token Decoder - Free, No Registration
Overview
JSON Web Tokens are compact, URL-safe strings that encode JSON objects as three Base64url segments. The header names the algorithm. The payload carries claims like sub (subject), iss (issuer), exp (expiry), and iat (issued at). This tool decodes both segments into readable JSON and verifies the third segment, the signature, if you provide the secret.
How to Use This Tool
Copy your JWT from a browser cookie, Authorization header, or API response and paste it into the field. The header and payload decode instantly. For HMAC-signed tokens, enter your secret and select the algorithm to run signature verification. Expired tokens can still be decoded for inspection.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
What is the sub claim in a JWT payload?
The sub (subject) claim identifies the principal the token represents, typically a user ID like 42 or a UUID. It is defined in RFC 7519 and is commonly used by OAuth and OIDC systems.
How long should a JWT be valid?
Short-lived access tokens are typically set to 15 minutes or 1 hour (exp = iat + 900 or 3600). Refresh tokens may last 7 to 30 days. Shorter expiry limits the damage if a token is stolen.
Can I decode a JWT generated by Auth0, Okta, or Firebase?
Yes. The header and payload decode regardless of the issuer. Signature verification works only for HMAC algorithms. RS256 tokens from these providers use a public key, which is not currently supported by this tool.