AIStacker
Security

Overview

JWT Decoder

Decode and inspect JWT tokens instantly to view headers, payloads, and expiration status locally in your browser.

What isHow to useExampleCommon use casesFrequently asked questions

Category hub

Security

Problems

6

FAQ

4

Quick links

Browse hub
#json-web-token#troubleshooting#authentication#validation#inspector

Expires in 3117d 1h 10m

2034-12-17T20:26:40.000Z

Header

alg: HS256 · typ: JWT

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

5 claims

{
  "sub": "user_123",
  "name": "Alice",
  "email": "alice@example.com",
  "iat": 1704067200,
  "exp": 2050000000
}

Signature

Cannot be verified client-side without the secret key

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

What you can solve

How to decode a JWT token?

You can use this online JWT decoder to instantly see the contents of your token. Simply paste the string, and the tool will use Base64URL decoding to reveal the header and payload sections.

How to inspect JWT header and payload?

A JWT consists of three parts separated by dots. This tool automatically separates them and formats the JSON data so you can easily inspect the algorithm, claims, and metadata.

How to check JWT expiration?

Look for the 'exp' claim in the decoded payload. Our tool automatically parses this timestamp and displays it in a human-readable format, along with a countdown showing if the token is still valid.

How to validate JWT structure?

Ensure the token follows the [header].[payload].[signature] format. The tool checks if each section is properly Base64URL encoded and provides an error message if the structure is malformed.

How to troubleshoot authentication issues with JWT?

Start by decoding the token to verify if it has expired and if it contains the expected scopes or roles. Comparing the claims in the token with your backend expectations is the first step in debugging auth failures.

How to understand Base64URL decoding?

JWT uses a URL-safe version of Base64 where '+' is replaced with '-' and '/' with '_'. This tool handles the conversion automatically so you don't have to manually swap characters before decoding.

Typical workflow

Base64 Encoder / DecoderURL DecoderJWT DecoderBase64 Encoder / Decoder

Guides for this workflow

Supporting guides that connect this tool to the broader category workflow.

Open category hub
Security guide

JWT Debugging Checklist: Claims, Expiry, Signatures, and Common Mistakes

A practical JWT troubleshooting guide covering claim inspection, expiry checks, token structure, and adjacent auth debugging steps.

Security guide

Security Tools Hub: JWT, UUID, Password, and Token Utility Workflows

A hub guide to JWT decoding, password generation, UUID workflows, and security-adjacent developer tooling.

Web guide

400 vs 401 vs 403 vs 422: A Practical API Error Triage Workflow

A concrete debugging workflow for separating malformed requests, authentication failures, permission issues, and validation errors before your team fixes the wrong thing.

Web guide

Why Access-Control-Allow-Origin Star Fails with Credentials

A practical browser-first guide to diagnosing the most common credentialed CORS mistake: returning wildcard Allow-Origin while the frontend sends cookies or auth-bound credentials.

What is

What is JWT Decoder?

The JWT Decoder is a simple yet powerful online tool designed to help developers and security professionals quickly understand the contents of a JSON Web Token (JWT). By simply pasting a token, you can instantly see its decoded header and payload, along with crucial expiry information. This tool simplifies debugging and validation of JWTs in various applications.

How to use

How to use JWT Decoder

Paste your full JWT string into the input field. The tool automatically decodes the header and payload using Base64URL decoding and displays them as formatted JSON. You can copy each decoded section individually, check the token’s expiry status, and validate whether the structure follows the standard three-part JWT format.

Example

Example

Input:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjI1MjQ2MDgwMDB9.someSignatureHere

Output (Decoded Header):
{
  "alg": "HS256",
  "typ": "JWT"
}

Output (Decoded Payload):
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 2524608000
}

Output (Expiry Status):
Valid (Expires in X days) — Expires at Dec 31, 2049, 12:00 AM

Common use cases

Common use cases

1. Debugging authentication issues by inspecting token contents.

2. Validating claims and metadata generated by identity providers.

3. Checking token expiration to understand validity windows.

4. Analyzing JWT structure during security audits.

5. Extracting user information (e.g., user ID, roles) from a token.

6. Learning JWT structure by observing decoded components.

Frequently asked questions

Frequently asked questions

What is a JWT?v
A JWT (JSON Web Token) is a compact, URL-safe means of representing claims between two parties. It consists of a header, a payload, and a signature, separated by dots.
Is this tool safe for sensitive JWTs?v
Yes. All decoding happens entirely in your browser using client-side JavaScript. Your token is never transmitted to any server. For highly sensitive production tokens, consider using offline tools within your trusted environment.
Why do I get an "Invalid JWT format" error?v
This error appears when the input does not contain exactly three dot-separated parts (header.payload.signature), or when the header/payload sections are not valid Base64URL-encoded strings.
Does this tool verify the signature?v
No. This tool focuses on decoding and structural inspection only. Signature verification requires the secret or public key and should be performed within your application or security environment.