JWT Decoder
Paste a JWT token to decode and inspect its Header, Payload, and Signature — with expiration checking and syntax highlighting.
What Is a JWT Decoder?
A JWT (JSON Web Token) decoder takes a compact, URL-safe token string and splits it into its three components: Header (algorithm and token type), Payload (claims like user ID, roles, expiration), and Signature (verification hash). This tool decodes the Base64URL-encoded Header and Payload into readable, syntax-highlighted JSON. It also checks the exp claim to tell you whether the token is still valid or has expired — all without sending any data to a server.
How to Use the JWT Decoder
- Paste Your Token — Copy a JWT token and paste it into the input field
- Click Decode — Or press Enter to decode the token instantly
- Inspect Results — View the Header (algorithm, type), Payload (claims, expiration), and raw Signature
- Check Expiration — See if the token is valid or expired, with exact timestamps
- Copy Sections — Click Copy on any section to copy its JSON to your clipboard
Why Use This JWT Decoder?
- Instant Decoding — Paste and decode in under a second with zero delay
- Syntax Highlighting — Color-coded JSON makes it easy to read keys, strings, numbers, and booleans
- Expiration Check — Automatically calculates whether the token is valid or expired with human-readable time differences
- Privacy First — Your token never leaves your browser. No server requests, no logging, no storage
- Error Handling — Clear error messages for malformed tokens, invalid Base64, or broken JSON
- Sample Token — Load a sample JWT to test the tool or learn the format
FreeToolbox vs Other JWT Decoders
| Feature | FreeToolbox | jwt.io | token.dev |
|---|---|---|---|
| Browser-based | Yes | Yes | Yes |
| No external scripts | Yes | No (loads libs) | No (loads libs) |
| Expiration check | Yes (auto) | Manual | Yes |
| Syntax highlighting | Yes | Yes | Yes |
| Copy sections | Yes (each) | No | No |
| Dark theme | Yes | No | Optional |
| No ads | Yes | Has ads | Has ads |
FAQ
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: Header, Payload, and Signature. JWTs are commonly used for authentication and authorization in web applications.
Can this tool verify the signature?
This tool decodes and displays the JWT contents but does not verify the signature. Signature verification requires the secret key or public key used to sign the token, which should never be shared in a browser tool. Use your server-side code to verify signatures.
Is it safe to paste my JWT here?
Yes. This tool runs entirely in your browser. No data is sent to any server, stored, or logged. However, be cautious about sharing JWTs in general — they may contain sensitive claims like user IDs or roles.
What does the exp claim mean?
The 'exp' (expiration time) claim identifies the time after which the JWT must not be accepted. It is a Unix timestamp (seconds since January 1, 1970). This tool automatically converts it to a human-readable date and tells you if the token has expired.
Why does my token show as invalid?
Common reasons include: the token doesn't have exactly 3 parts separated by dots, the Header or Payload is not valid Base64URL encoding, or the decoded content is not valid JSON. Check that you copied the complete token without extra spaces or line breaks.