Run this tool instantly in your browser. No signup and no server-side processing.

JWT Decoder

Decode JSON Web Tokens instantly. Never sends your token to any server.

Encoded Token

Header

Payload

JWT Decoder: complete usage guide

Decode JWT headers and payload claims to inspect token structure during authentication and authorization debugging with a repeatable, privacy-first review workflow that helps teams isolate claim issues before escalating to signature, key-distribution, or policy-layer analysis.

What this tool does

It parses JWT segments and renders header plus payload JSON in readable form so you can validate claim shape before touching backend logs.

It highlights common claim checkpoints like exp, nbf, iat, aud, and iss to reduce guesswork when troubleshooting token rejection errors.

It gives teams a fast decode baseline during incident triage, allowing product, backend, and platform engineers to discuss the same token facts.

Typical use cases

Inspect tokens returned by staging identity providers before wiring full verification middleware.
Confirm claim evolution after login, refresh, and impersonation flows across environments.
Triage support tickets where users report invalid token or forbidden responses.
Compare token payload differences between web, mobile, and service-to-service clients.
Verify rollout safety when authentication providers add new custom claims or change audience conventions.

Input examples

JWT token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsImFkbWluIjp0cnVlfQ.sgn

Header focus

{"alg":"HS256","typ":"JWT"}

Claim focus

{"sub":"12345","aud":"api","exp":1740500000}

Output examples

Decoded header

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded payload

{
  "sub": "12345",
  "admin": true
}

Review checklist

Verify iss/aud/exp alignment with current environment before signature debugging.

Incident handoff note

Capture token issue context with claim timestamps and expected audience to accelerate backend security triage.

Common errors and fixes

Token has fewer than 3 segments

Ensure token format is header.payload.signature.

Invalid Base64URL segment

Check copy/paste issues or accidental line breaks.

Assuming decode means verify

Use JWT verify flow to validate signature separately.

Timezone confusion on exp claim

Interpret epoch claims in UTC and compare with server clock skew policy.

Wrong tenant or audience mapping

Cross-check aud and tenant-specific claims against the exact environment and client id in use.

Token from different issuer

Confirm iss claim matches the configured identity provider endpoint for the target application.

Security and privacy notes

Token decoding is local and does not call remote APIs.
Do not paste production secrets; only inspect token strings here.
Mask user identifiers before sharing decoded payload screenshots in cross-team channels.
For compliance-sensitive environments, keep decoded claim review inside approved internal tooling and ticket systems.

Step-by-step workflow

Start with a minimal input for JWT Decoder and verify baseline behavior first.
Make assumptions explicit: encoding, delimiter strategy, and timezone.
Change one variable at a time and compare output diffs.
Keep one verified output snapshot as a team reference.

Quality checklist before sharing output

Confirm JWT Decoder output is deterministic across repeated runs with identical input.
Check boundary inputs (empty values, long fields, invalid characters).
Remove sensitive data before sharing output externally.
Verify final rendering on both desktop and mobile viewports.