JWT Decoder Online

Online JWT Token decoder. Parses Header and Payload entirely in your browser — your token never leaves your device.

Related Tools

Free Online JSON Formatter & Beautifier

Free online JSON formatter and beautifier tool. One-click format messy JSON data with syntax highlighting, auto-indent, error detection, expand/collapse, copy to clipboard. Essential developer tool for API debugging and config file viewing.

JSON Validator

Professional JSON validation tool that pinpoints syntax errors by line and column number with intelligent fix suggestions. Supports auto-fix for common errors (trailing commas, single quotes, comments). Essential for debugging API responses and config files.

JSON YAML XML CSV TOML Converter

Free online data format converter supporting bidirectional conversion between JSON, YAML, XML, CSV, and TOML in any combination. Smart format detection, one-click conversion for API development, config migration, and data import/export.

Text Diff Tool

Free online text diff tool. Compare two texts line by line with highlighted additions, deletions, and changes. Great for code comparison.

Regex Tester Online

Professional online regex testing tool. Real-time match highlighting, g/i/m/s flags support, built-in common regex patterns. Essential debugging tool for frontend, backend, and data developers.

My IP Address & IP Lookup — Location, ISP, IP Type (Residential/Datacenter/VPN) & Map

Free online IP lookup tool. See your public IP or query any IP for its location, ISP/ASN, IP type (Residential, Datacenter, VPN, Tor), timezone and coordinates — pinpointed on an interactive map. Four-tier API fallback for reliable results.

Share AI-Generated HTML

The new way to share AI output: render HTML from Claude, ChatGPT, or any AI and generate a -day shareable link — no installs, viewable on any device. Richer than Markdown, easier to share than attachments.

View more

Frequently Asked Questions

Completely safe. The entire decode process uses your browser's native Base64 API — no network request is ever made and your token never leaves your device. Open DevTools → Network and watch for yourself: zero requests while you paste your token.

Encountered other problems or suggestions? Have a bug or suggestion? Drop us an email.

Email Us

What Is a JWT? The Header, Payload & Signature Structure Explained

JSON Web Tokens (JWTs) are the most widely used authentication credential format in 2026. Almost every modern web app — from REST APIs and OAuth flows to single-sign-on systems — issues JWTs. A token looks like this:

eyJhbGci...(Header).eyJzdWIi...(Payload).SflKxwRJ...(Signature)

It's three Base64URL-encoded strings joined by dots:

  • Header: A JSON object containing alg (the signing algorithm, e.g. HS256, RS256, ES256) and typ (always JWT).
  • Payload: A JSON object containing claims. Standard fields include sub (user ID), iat (issued-at timestamp), exp (expiry timestamp), and nbf (not-before timestamp). Everything else is application-specific — roles, org IDs, permissions, etc.
  • Signature: An HMAC or RSA/EC signature over the first two parts. The server uses this to verify the token hasn't been tampered with.

The Header and Payload are only Base64URL-encoded, not encrypted — anyone with the token can read them without a key. That's exactly how this decoder works: pure client-side Base64 decoding, no key required.

Is It Safe to Paste Your JWT Into an Online Tool? Why jwt.io Raises Concerns

The most familiar JWT inspector is jwt.io. But security teams have a standing concern: you're pasting potentially sensitive production tokens into a third-party website. JWT payloads routinely contain user IDs, role assignments, email addresses, and org identifiers — data that strict security policies say shouldn't leave a controlled environment.

Even if jwt.io's code is never malicious, your browser extensions, your company's network proxy, or a future code change could capture that content. When handling production tokens, this isn't paranoia — it's basic security hygiene.

MeTool's JWT Decoder is built on a single principle: your token never leaves your browser. The entire decode process uses the browser's native atob() function — no network request is ever made. Open DevTools → Network tab and verify it yourself: paste a token and the network panel stays completely empty.

JWT Claim Reference: What iat, exp, sub, nbf, iss, aud, and jti Mean

JWT defines a set of Registered Claims — standard fields with precise, interoperable meanings:

  • sub (Subject): The principal the token represents, typically a user ID or account identifier.
  • iat (Issued At): Unix timestamp (seconds) of when the token was created. Used to track token age.
  • exp (Expiration Time): Unix timestamp (seconds) after which the token must be rejected. The most common claim checked server-side.
  • nbf (Not Before): Unix timestamp (seconds) before which the token must be rejected. Used for pre-issued tokens that become valid in the future.
  • iss (Issuer): Identifies who generated the token, e.g. https://auth.example.com.
  • aud (Audience): Identifies the intended recipient(s). Servers verify they are listed in aud before accepting the token.
  • jti (JWT ID): A unique identifier for this token, used to prevent replay attacks.

This tool automatically converts iat, exp, and nbf to human-readable local time and shows them alongside the raw value — no more manually running new Date(exp * 1000) in the console.

Debugging Common JWT Auth Problems with an Online Decoder

Here are the most frequent JWT-related bugs in development, and how to diagnose them in seconds:

Token Expired (401 Unauthorized)

Paste the token and check the exp field in the Payload claims table. The tool shows "Expired" or "Expires at [local time]" — faster than mentally converting a Unix timestamp.

Algorithm Mismatch (Signature Verification Fails)

Check the alg field in the Header and confirm it matches your server config. HS256 and RS256 are the most common point of confusion: HS256 is symmetric (same key signs and verifies), RS256 is asymmetric (private key signs, public key verifies).

Missing or Wrong Role/Permission (403 Forbidden)

Expand the custom claims in the Payload — roles, permissions, scope — and confirm the token carries the expected access level. Remember: with stateless JWTs, permission changes don't propagate until the user gets a new token.

Inspecting Nested JSON Claims

Some systems embed nested objects or arrays in the Payload — user profile data, multi-tenant org info, feature flags. The claims detail table detects nested structures, shows a type badge (e.g. Object {3} or Array [5]), and lets you expand/collapse them. Each nested value has its own copy button that copies the fully formatted JSON.