JWT Decoder Online
Instantly decode JSON Web Tokens — view header, payload claims, and auto-convert timestamps
How JWT Decoding Works
A JSON Web Token (JWT) is a string of three Base64Url-encoded segments separated by dots. Our decoder splits the token, decodes each segment, and presents the structured data in a readable format.
| Segment | Content | What You See |
|---|---|---|
| Header | Algorithm (alg) and token type (typ), e.g. HS256, RS256. | Formatted JSON showing the cryptographic algorithm used to sign the token. |
| Payload | Claims — user data, roles, expiration (exp), issued-at (iat). | Key-value table with automatic timestamp translation for standard time claims. |
| Signature | Cryptographic proof that the header and payload were not modified. | Raw signature value displayed. Verification requires the secret/public key. |
Developer Use Cases
Real-world scenarios where our JWT Decoder saves debugging time.
Debugging Authentication Flows
When implementing OAuth 2.0 or Single Sign-On (SSO), your frontend receives a token, but you keep getting 401 Unauthorized errors from the backend.
Paste your token into our JWT Decoder to instantly verify if the token contains the correct user roles, scopes, and audience (aud) claims before sending it to your API.
Checking Token Expiration (exp / iat)
You need to know exactly when a session token expires to handle silent refresh logic in your frontend app, but the token only provides a cryptic Unix timestamp.
Our parser not only extracts the exp (Expiration Time) and iat (Issued At) claims, but automatically translates those integers into human-readable local dates right in your browser.
Inspecting ID Tokens Without Backend Logs
You want to check what user profile data (like email or avatar URL) is embedded inside an OpenID Connect (OIDC) ID token without setting up a backend server to decode it.
Decode the token 100% locally. View the entire JSON payload instantly without risking sensitive user data exposure.
Frequently Asked Questions
Is it safe to decode my production JWT here?
Absolutely. JSONEscape is built on a strict zero-upload policy. When you paste your JWT, the Base64 decoding happens entirely via JavaScript within your browser's local memory. Your token never traverses the network, meaning your session data and access privileges remain completely private.
What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts separated by dots: a Header (describing the cryptographic algorithm), a Payload (containing the actual JSON data or claims), and a Signature (to verify the token hasn't been tampered with).
Can this tool crack or verify the JWT signature?
This tool is primarily a parser and decoder for the Base64Url encoded Header and Payload sections. Since we do not require you to upload your private cryptographic keys to our servers, we focus on making the data readable rather than performing server-side cryptographic validation.
Why do some fields like iat or exp look like random numbers?
Those are Unix timestamps representing seconds since the Epoch (Jan 1, 1970). They dictate when the token was issued and when it expires. Our decoder automatically detects standard time-based claims and displays the translated human-readable dates next to them.