Does JWT Decoder upload my input?

No. This tool runs in your browser unless the privacy badge explicitly says a server route is required.

Can I use this for production secrets?

Avoid pasting sensitive production data into any website. Prefer local test data or redacted payloads.

Does decoded mean verified?

No. Decoding only reads Base64URL segments. Signature validation must happen in your auth service or backend.

Which claims should I check first?

Start with exp, nbf, iat, iss, aud, sub, scope, tenant, and algorithm values, then confirm signature verification outside this page.

JWT Decoder - Free Online JSON Web Token Inspector

jwt decoderjwt token decoderdecode jwtjwt exp checkerPrivacy: Browser local

JWT Decoder

Decode JWT header and payload segments locally for quick inspection.

Input / Output

Start with the tool

Input, output, and copy actions stay in this main surface. Examples and reference checks are separated below.

Copy-ready output

JWT examples

JWT

Expected claim check

Compare issuer, audience, and scope against the values your API expects. This is a local debug check, not signature verification.

Expected issuerExpected audienceExpected scope

IssuerExpected: https://auth.example.comActual: https://auth.example.comMatch

AudienceExpected: bobob-apiActual: bobob-apiMatch

ScopeExpected: read:toolsActual: read:tools, write:notesMatch

Algorithm

RS256

Token type

JWT

Token status

Active

Expected matches

3/3

Sensitive claims

1/7

Copy actions

Copy the bearer header or decoded payload without reselecting text.

JWT time window

Compare iat, nbf, exp, and lifetime against the current browser time before using the token.

Issued age

5d 8h ago

Valid after

5d 8h ago

Expires in

in 26862d 15h

Token lifetime

26868d 0h

Claim inspector

Classify registered, public, and private claims before sharing the decoded payload.

audRegisteredstringbobob-api

expRegisterednumber4102444800

iatRegisterednumber1781049600

issRegisteredstringhttps://auth.example.com

nbfRegisterednumber1781049600

scopePrivatestringread:tools write:notes

subRegisteredstringuser_123

Redaction review

Find identity and secret-like claims before sharing a decoded payload in tickets, docs, or chat.

subIdentifierstringuser_123

Redacted preview

{
  "sub": "[redacted]",
  "iss": "https://auth.example.com",
  "aud": "bobob-api",
  "scope": "read:tools write:notes",
  "iat": 1781049600,
  "nbf": 1781049600,
  "exp": 4102444800
}

JWT claims

Review identity, issuer, audience, time claims, and signature state before using the token.

Subject:user_123

Issuer:https://auth.example.com

Audience:bobob-api

Scope:read:tools write:notes

Issued at:2026-06-10T00:00:00.000Z (1781049600)

Not before:2026-06-10T00:00:00.000Z (1781049600)

Expires at:2100-01-01T00:00:00.000Z (4102444800)

Signature:Present

Review notes

- This decoder does not verify the signature. Confirm trust with the issuer before using the token.
- Sensitive or identity-like claims were detected. Use the redacted payload before sharing.

Related tools

Useful next steps

Next step:

TimestampNext step: Paste Unix seconds, milliseconds, or an ISO string.Base64Next step: Decode copied Base64 payloads from logs JSONNext step: Format compact API responses before copying them into code or docs

Output

Header

Copy-ready output

{
  "alg": "RS256",
  "typ": "JWT"
}

Local session

Input state is saved only in this browser so you can restore the last workspace without an account.

Review after the result

Open examples, checks, and related tools only after the primary input/output flow is done.

Guides

Examples

Starting points for this utility

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.signatureExpected aud=bobob-api with scope read:toolseyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3ODA2NDY0MDB9.signature

Use cases

Security

Decode JWT header and payload segments while debugging API authentication
Check exp, iat, nbf, iss, aud, scope, and subject claims before sharing a token

Check exp, nbf, iss, aud, scope, and tenant claims before trusting the token.
Verify the signature in your auth service or backend, not only in the decoder.
Redact the original token before sharing screenshots or copied payloads.