Skip to main content
SlapMyWeb
Get started
Skip to tool
Developer tools/All tools
Free tool

JWT decoder

Decode and inspect JSON Web Tokens. View header, payload, claims, and expiration status. Your token never leaves the browser — zero server calls.

decoded
Paste a JWT above to decode it

What is JWT Decoder?

A JWT (JSON Web Token) decoder is a developer tool that parses the three parts of a JWT — header, payload, and signature — and displays them in a human-readable format. JWTs are the standard authentication token format used in modern web applications, APIs, and OAuth 2.0 flows. They consist of three base64url-encoded segments separated by dots. Our free JWT decoder extracts and pretty-prints the header (containing the algorithm and token type) and the payload (containing claims like subject, issuer, expiration time, and custom data). It automatically detects and formats standard timestamp claims (iat, exp, nbf, auth_time) with human-readable dates and shows whether the token has expired. This tool is invaluable for debugging authentication issues, verifying token contents during API development, inspecting OAuth tokens, and understanding what data your application sends in authorization headers. Everything runs in your browser so your tokens are never exposed to any server.

How to Use JWT Decoder

  1. 1

    Paste your JWT token

    Copy a JWT from your application, browser dev tools, API response, or authorization header and paste it into the input field. The decoder accepts any valid three-part JWT string.

  2. 2

    Inspect header and payload

    The decoder instantly displays the parsed header (algorithm, type) and payload (all claims) in a formatted view. Timestamp fields like exp, iat, and nbf are shown with human-readable dates and relative time.

  3. 3

    Check expiration status

    If the token contains an exp claim, the decoder automatically checks whether it has expired and displays a clear warning banner. Copy the decoded JSON with one click for use in documentation or debugging.

Features

  • Instant decoding of JWT header, payload, and signature components
  • Automatic detection and formatting of timestamp claims (iat, exp, nbf)
  • Clear expired token warning with relative time display
  • Pretty-printed JSON output for both header and payload sections
  • One-click copy of decoded token data as formatted JSON
  • Complete browser-side processing with zero server communication

Related Tools

JSON Formatter & Validator

Pretty-print and validate JSON with 2 / 4 space indentation.

Open tool

JSON to CSV Converter

Convert JSON arrays to CSV format. Auto-detects columns, proper escaping, download as .csv.

Open tool

CSV to JSON Converter

Convert CSV data to a JSON array of objects. Handles quoted fields and commas.

Open tool

HTML Formatter & Minifier

Beautify messy HTML with proper indentation or minify it for production.

Open tool

HTML Minifier

Minify HTML by stripping comments, collapsing whitespace. Shows size savings.

Open tool

CSS Formatter & Minifier

Beautify CSS with proper indentation or minify it for production. Strips comments.

Open tool
See all Developer tools

Frequently Asked Questions

Does this tool verify the JWT signature?+
No. This tool decodes and displays the token contents but does not verify the cryptographic signature. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) which should never be shared with third-party tools. Use your backend or a local tool for signature verification.
Is it safe to paste my JWT into an online tool?+
This specific tool is safe because all decoding happens entirely in your browser. The token is never sent to any server. However, you should never paste production tokens with sensitive claims into tools that make server requests. Always check the network tab if you are unsure.
What do the standard JWT claims mean?+
Common claims include: iss (issuer — who created the token), sub (subject — the user ID), aud (audience — intended recipient), exp (expiration time), iat (issued at), nbf (not before — token is not valid before this time), and jti (JWT ID — unique token identifier).
Why does my token show as expired?+
The exp claim contains a Unix timestamp (seconds since 1970-01-01). If the current time is past this timestamp, the token is expired. This is normal — JWTs are designed to expire. Your application should refresh the token using a refresh token or re-authentication flow.
Can I decode tokens from Auth0, Firebase, or Supabase?+
Yes. All these services issue standard JWTs that this decoder can parse. Auth0 tokens include custom claims under a namespace URL, Firebase tokens include firebase-specific claims, and Supabase tokens include role and user metadata. The decoder displays all claims regardless of the issuer.
What is the difference between JWS and JWE?+
JWS (JSON Web Signature) is the most common JWT format — the payload is base64url-encoded but not encrypted, meaning anyone can read it. JWE (JSON Web Encryption) encrypts the payload so only the intended recipient can read it. This decoder works with JWS tokens. JWE tokens require the decryption key to read the payload.