How to Decode a JWT and Inspect Its Claims Safely
To decode a JWT, paste the full token into a decoder and it splits the header, payload and signature, pretty-printing the first two as JSON. The ByteTools JWT Decoder also converts the iat, exp and nbf timestamps into readable dates and shows a badge telling you whether the token is still valid β all without leaving your browser.
A JSON Web Token looks like an impenetrable string of characters, but it is really just three Base64url segments joined by dots. Decoding it is the fastest way to debug an authentication problem.
What a JWT contains and who needs to read it
Every signed JWT has three parts: a header declaring the signing algorithm, a payload carrying claims like the subject, issuer, scopes and expiry, and a signature that protects integrity. The header and payload are only Base64url-encoded, not encrypted, so anyone can read them. That is exactly what makes a decoder useful β and also why you must never place secrets in a payload.
This tool is aimed at developers wiring up OAuth and OpenID Connect, API engineers debugging 401 responses, and security testers inspecting what a token actually asserts. Instead of writing a throwaway script, you paste and read.
How to decode a JWT in your browser
- Paste the full token β
header.payload.signatureβ into the input box. - Read the decoded header and payload as pretty-printed JSON.
- Check the expiry badge and the human-readable
iat,expandnbfdates. - Use the copy buttons to grab the decoded JSON if you need it elsewhere.
Registered JWT claims worth knowing
The JWT spec defines a set of standard claims that appear in most tokens. Recognising them lets you diagnose expiry and validity issues at a glance.
| Claim | Meaning | Why it matters |
|---|---|---|
iat | Issued at | When the token was created |
exp | Expiry time | After this, the token is rejected |
nbf | Not before | Token is invalid until this moment |
sub | Subject | Who or what the token is about |
iss | Issuer | Which service minted the token |
The three timestamp claims are Unix seconds, which is why a decoder that converts them to dates saves so much mental arithmetic.
Key features and benefits
- Instant decode of header and payload to formatted JSON.
- Readable timestamps for
iat,expandnbf. - Expiry badge based on the
expandnbfclaims. - Signature shown as raw reference, since it cannot be verified without a key.
- 100% client-side β safe even for production tokens, and works offline.
- Clear errors for malformed or truncated tokens.
Try the JWT Decoder now β it's free and runs entirely in your browser.
Frequently asked questions
Does this tool verify the JWT signature?
No. It only Base64-decodes the header and payload, which needs no secret. Verifying the signature requires the signing key β an HMAC secret or the issuer's public key β and belongs on the server. Never trust a token's claims just because they decode cleanly.
Is it safe to paste a real JWT into an online decoder?
With this tool, yes β decoding runs entirely in your browser and the token is never transmitted or logged. Be wary of decoders that send tokens to a server, because a live token is a bearer credential that grants access to whoever holds it.
What do iat, exp and nbf mean?
They are Unix timestamps in seconds: iat is when the token was issued, exp is when it expires, and nbf is the earliest moment it may be used. This decoder converts all three to readable dates and compares exp against the current time.
Why does my JWT fail to decode?
A valid JWT has exactly three dot-separated base64url segments. Failures usually mean the token was truncated when copied, contains extra whitespace or quotes, or is actually an opaque session token. Check that it starts with something like eyJ.
Are JWTs encrypted?
Standard signed JWTs are not encrypted β anyone can read the payload, as this tool demonstrates. Only integrity is protected by the signature. If confidentiality is required, encrypted JWE tokens are used instead.
Related free tools
- Base64 Decoder β decode the individual JWT segments manually.
- JSON Formatter β pretty-print the decoded payload.
- Unix Timestamp Converter β turn iat/exp values into dates.
- SHA-256 Hash Generator β compute hashes for signing workflows.
Built by ByteVancer
ByteTools is a free product of ByteVancer, a software and web development studio that builds web apps, SaaS platforms and custom software for businesses. If you need help building secure authentication or a full product, explore ByteVancer's services and get in touch.
Recommended reading
JWT Decoder Use Cases: When Developers Reach for It
Real scenarios where decoding a JWT solves the problem β debugging logins, checking expiry, inspecting scopes and reading tokens from logs.
JWT Decoding Tips and the Security Mistakes to Avoid
Expert tips for working with JWTs safely β reading claims correctly, avoiding the decode-equals-trust trap, and the alg pitfalls that break auth.
XOR Cipher Use Cases: CTFs, Learning, and Puzzles
Real use cases for the XOR cipher, from CTF challenges and teaching bitwise logic to lightweight obfuscation, with concrete worked examples.
XOR Cipher Tips: Keys, Security, and Common Mistakes
Pro tips and common mistakes for the repeating-key XOR cipher: key length, reuse pitfalls, format choices, and when to switch to real encryption.