Decode and inspect JSON Web Tokens instantly. View header, payload, claims and expiry — 100% client-side. Your tokens never leave the browser.
// updated April 2026JWT (JSON Web Token) is an open standard for securely transmitting information as a JSON object. This tool lets you inspect any JWT token without sending it anywhere — everything is decoded locally in your browser.
Features:
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature.
The header contains the algorithm, the payload contains the claims (user data, expiry, issuer), and the signature verifies the token wasn't tampered with. Read our full guide to JWT tokens and how to decode a JWT.
Never paste production tokens into online tools you don't trust — this tool is 100% client-side, but always verify before pasting sensitive tokens anywhere.
JWTs are not encrypted by default — the payload is only Base64-encoded, not encrypted. Anyone with the token can decode the payload. Use JWE if you need encryption.
Always check the exp claim and validate the signature server-side. Decoding ≠ verifying.
PyJWT library: import jwt; jwt.decode(token, options={"verify_signature": False}) to decode without verification. For full verification pass your secret key. See our guide: decode JWT in Python.., take the second part (payload), and decode it: JSON.parse(atob(token.split('.')[1])). For Node.js use the jsonwebtoken library. Full guide: how to decode a JWT.exp claim is a Unix timestamp representing the token's expiration time. After this time, the token should be rejected. This tool shows you the expiry status and how much time remains — or how long ago it expired.HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), and ES256, ES384, ES512 (ECDSA). Note that signature verification requires the secret/public key.