JWT · Guide

Decode JWT Token Online — Claims, Expiry & Payload

5 min readUpdated April 2026Developer Tools

You have a JWT but don't know what's inside it. This step-by-step guide shows you how to decode a JWT online in seconds, what each part means, and how to do it in code.

Free Online JWT Decoder

Decode any JWT instantly. See header, payload, claims, and expiry. Nothing sent to any server.

Open JWT Decoder →

What you'll find inside a JWT

Every JWT contains three Base64URL-encoded sections separated by dots. When decoded, they reveal:

Header — the signing algorithm (e.g. HS256, RS256) and token type
Payload — the claims: user ID, roles, email, expiry time, issue time, and any custom data
Signature — a cryptographic hash that prevents tampering (you need the secret key to verify this)

New to JWTs entirely? Read What is a JWT? first for a full breakdown of the format.

How to decode a JWT online (30 seconds)

Copy your JWT — it starts with eyJ (Base64URL for {")
Open the JWT decoder on tinybench.dev
Paste the token into the input field
The header and payload are decoded instantly — see all claims, expiry time, and token metadata

Safe to use: The decoder runs entirely in your browser. Your token is never sent to any server — unlike many other JWT tools online.

Decoding a JWT manually

A JWT has the format header.payload.signature. The header and payload are just Base64URL-encoded JSON. You can decode them without any special tool:

Decode JWT payload manually in JavaScript

function decodeJWT(token) {
  const parts = token.split('.');
  const header  = JSON.parse(atob(parts[0].replace(/-/g,'+').replace(/_/g,'/')));
  const payload = JSON.parse(atob(parts[1].replace(/-/g,'+').replace(/_/g,'/')));
  return { header, payload };
}

const { header, payload } = decodeJWT(yourToken);
console.log(payload.sub);   // user ID
console.log(payload.exp);   // expiry (Unix timestamp)
console.log(payload.email); // custom claim

Python

import base64, json

def decode_jwt_payload(token):
    payload_b64 = token.split('.')[1]
    # Add padding if needed
    payload_b64 += '=' * (4 - len(payload_b64) % 4)
    payload_bytes = base64.urlsafe_b64decode(payload_b64)
    return json.loads(payload_bytes)

payload = decode_jwt_payload(your_token)
print(payload['sub'])   # user ID
print(payload['exp'])   # expiry timestamp

For a deeper Python example using the PyJWT library, see our guide on decoding JWTs in Python.

Important JWT claims to check

Claim	Meaning	Format
`sub`	Subject (usually user ID)	String
`exp`	Expiry time — reject if past this	Unix timestamp (seconds)
`iat`	Issued at time	Unix timestamp (seconds)
`nbf`	Not before — token invalid before this time	Unix timestamp (seconds)
`iss`	Issuer — who created the token	String (usually a URL)
`aud`	Audience — intended recipient	String or array
`jti`	JWT ID — unique identifier for this token	String

The exp claim is a Unix timestamp — use the Unix timestamp converter to convert it to a readable date.

How to check if a JWT is expired

JavaScript — check expiry

function isTokenExpired(token) {
  const { payload } = decodeJWT(token);
  if (!payload.exp) return false; // No expiry set
  return Date.now() / 1000 > payload.exp;
}

if (isTokenExpired(token)) {
  // Redirect to login or refresh the token
}

The JWT decoder tool automatically shows a human-readable expiry time and flags whether the token is expired.

Never trust a decoded JWT without verifying the signature server-side. Decoding tells you what claims the token contains. Only signature verification (using your secret key) proves the token wasn't forged or tampered with.

Frequently asked questions

Can I decode a JWT without the secret key?

Yes — you can decode (read) the header and payload without the secret key. The secret key is only needed to verify the signature. This is why you should never put sensitive data in a JWT payload.

Why does my JWT start with eyJ?

All JWTs start with eyJ because the header always begins with {"alg" — and Base64URL encoding of {"alg" starts with eyJ. It's a reliable way to identify a JWT.

What's the difference between decoding and verifying a JWT?

Decoding reads the contents (header + payload). Verifying checks the signature to confirm the token is genuine and unmodified. Always verify in production code — never trust a JWT based on decoding alone.

Try it now — free & private

Runs entirely in your browser. No sign-up, no uploads, no tracking.

Open JWT Decoder →

Related tools & guides

JWT Decoder — free, browser-based, nothing uploaded
Base64 Encoder / Decoder
JSON Formatter
Unix Timestamp Converter
What is a JWT? — Full Explainer
Decode JWT in Python