JWT Decoder & Encoder

Free jwt decoder online — decode, verify, and encode JSON Web Tokens instantly, entirely in your browser.

JWT Token
Paste a JWT token to decode it
Header 
Decoded header
Payload 
Decoded payload
Signature 
Signature (base64url)

Sample Tokens — Click to Load

Try these real-world examples. Click "Load →" to paste any token into the decoder and inspect its claims instantly.

Basic HS256 — no exp

Secret: your-256-bit-secret (verifiable)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Auth token — expired

Realistic access token, exp in Aug 2023

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzg4ZjNrMjEiLCJuYW1lIjoiQWxleCBDYXJ0ZXIiLCJlbWFpbCI6ImFsZXhAZXhhbXBsZS5jb20iLCJyb2xlcyI6WyJhZG1pbiIsImVkaXRvciJdLCJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJhdWQiOiJodHRwczovL2FwaS5leGFtcGxlLmNvbSIsImlhdCI6MTY5MzQyMDgwMCwiZXhwIjoxNjkzNTA3MjAwfQ.dGhpcyBpcyBhIHNhbXBsZSBzaWduYXR1cmU

Service-to-service — no exp

Machine token with custom permissions

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmNfcGF5bWVudF9hcGkiLCJzZXJ2aWNlIjoicGF5bWVudC1zZXJ2aWNlIiwiZW52IjoicHJvZHVjdGlvbiIsInBlcm1pc3Npb25zIjpbInJlYWQ6dHJhbnNhY3Rpb25zIiwid3JpdGU6dHJhbnNmZXJzIl0sImlzcyI6Imh0dHBzOi8vYXV0aC5pbnRlcm5hbCIsImlhdCI6MTcxNjIzOTAyMn0.dGhpcyBpcyBhIHNhbXBsZSBzaWduYXR1cmU

Refresh token — long-lived

Refresh token with 30-day expiry from 2024

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzg4ZjNrMjEiLCJ0eXBlIjoicmVmcmVzaCIsImp0aSI6InJ0b2tfOWYzYTJjMWQ4ZTdiNmEwNSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImlhdCI6MTcxNjIzOTAyMiwiZXhwIjoxNzE4ODMxMDIyfQ.dGhpcyBpcyBhIHNhbXBsZSBzaWduYXR1cmU

Free JWT Decoder Online — Inspect Any Token Instantly

Need to inspect a JWT without pasting it into a sketchy site? Our free JWT Decoder & Encoder instantly decodes any JSON Web Token the moment you paste it in. As a fast and reliable jwt decoder online, it splits your token into its header, payload, and signature and displays the claims in clean, readable JSON — so you can see exactly what's inside in seconds.

But it does more than decode. Check token expiry at a glance, verify the signature against a secret or key, and encode and sign your own tokens for testing. Whether you're debugging an auth flow, inspecting API credentials, or building login functionality, everything you need is right here.

Simply paste your token to decode it, or build one to encode. Everything runs in your browser — no sign-up, no downloads, no limits, and your tokens never leave your device.

What This JWT Tool Does

  • Decode header & payload — splits your JWT into its three segments and displays each as formatted, syntax-highlighted JSON
  • Check expiry — reads the exp and iat claims and tells you at a glance whether the token is still valid or has expired
  • Verify signature — confirms the HMAC signature against your secret to prove the token hasn't been tampered with
  • Encode & sign — build a custom header and payload, choose your algorithm, and generate a fully signed JWT for testing
  • Colour-coded segments — header, payload, and signature are highlighted in red, purple, and blue — the same visual grammar developers recognise from jwt.io
  • Privacy-first — all processing happens in your browser using the Web Crypto API; your tokens and secrets are never sent to any server

Decode JWT Tokens from Any Source

Use this tool to inspect JWTs from OAuth 2.0 flows, API gateway responses, identity providers, and microservice authentication headers. Whatever the source, paste it in to see the full claims immediately.

  • OAuth 2.0 access tokens — inspect claims from Auth0, Okta, Cognito, Azure AD, and other identity providers
  • Bearer tokens in API headers — decode tokens from Authorization headers when debugging REST or GraphQL APIs
  • Refresh tokens — check expiry, issuer, and subject claims on long-lived tokens
  • Service-to-service tokens — verify permissions and scopes for machine-to-machine authentication
  • OIDC ID tokens — inspect user identity claims like sub, email, name, and nonce

Who Uses an Online JWT Decoder?

Backend developers decode tokens to validate claims between microservices and debug auth flows. Frontend engineers inspect tokens from login responses to understand what user data is available. Security engineers verify signatures and check expiry to audit token handling. QA teams use the encoder to generate test tokens with specific claims for automated test suites. Have questions? Read the FAQ →