Developer
Decode JWT Online
- Browser-based
- No signup
Decode JWT online to troubleshoot authentication issues without writing scripts. View formatted JSON for header and payload, inspect standard claims like `iat`, `exp`, and `aud`, and copy values into bug reports.
Claims like `nbf` (not before) and `exp` (expiry) are Unix timestamps—compare in UTC.
Algorithm `none` in header is a red flag in production tokens—reject such tokens in your API.
100% Client-Side
Your data never leaves your computer.
How to use this tool
Paste the full JWT, review decoded JSON, and note clock skew if expiry seems valid but API rejects the token.
Worked example
Example: decode a stale refresh token to confirm `exp` passed five minutes ago, explaining the silent logout in your SPA.
When to use this
- Support engineers triaging login failures.
- Developers comparing staging vs production token claims.
- Security reviews of sample tokens in docs.
Common examples
- Access token from OAuth login → inspect `exp`, `sub`, and `roles` claims.
- Staging vs production token → compare `iss` and `aud` without verifying signature locally.
- Expired session token → confirm `exp` timestamp against current time in the payload view.
- Staging ID token → confirm `aud` matches your SPA client ID before release.
- Expired refresh token → verify `exp` claim against local clock skew.
What people search for
- jwt decoder
- decode jwt token
- jwt payload viewer
- json web token decoder
- inspect bearer token
Common mistakes
- Pasting live customer tokens into public chat.
- Assuming decode implies trust.
- Ignoring timezone when reading exp.
Related long-tail tasks
- jwt decode without library
- view jwt roles scope claims
- decode jwt from authorization header
How it works
Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.
Limitations
Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.
Privacy and file handling
Your data is processed in your browser and is not uploaded to our server.
Related JWT Decoder guides
These pages use the same jwt decoder with guides tailored to specific search intents.
Frequently asked questions
Bearer prefix needed?
Paste only the token string, not the `Bearer ` prefix from Authorization headers.
Encrypted JWE tokens?
This decoder handles signed JWT (JWS) format, not encrypted JWE payloads.
Pretty print JSON?
Output is formatted for reading. Copy claims into your app config as needed.
Related tools
Related pages
- Browse all free online tools on Utilnivo
- Explore more developer tools on Utilnivo
- JWT Decoder — Decode JWT tokens to inspect header and payload claims.
- JWT Encoder — Encode and sign JWTs with HS256 in your browser.
- JWT Generator — Generate sample JWTs with common claims.
- JSON Formatter — Format, minify, and validate JSON with optional key sorting.
- JSON Compare — Compare two JSON documents and list structural differences.
- XML Formatter — Format, minify, and validate XML with readable indentation.
Page last reviewed:
