Skip to main content
Utilnivo

Developer

Decode JWT Online

  • Browser-based
  • No signup

Decode JWT online to troubleshoot authentication issues without writing scripts. View formatted JSON for header and payload, inspect standard claims like `iat`, `exp`, and `aud`, and copy values into bug reports.

Claims like `nbf` (not before) and `exp` (expiry) are Unix timestamps—compare in UTC.

Algorithm `none` in header is a red flag in production tokens—reject such tokens in your API.

100% Client-Side

Your data never leaves your computer.

How to use this tool

Paste the full JWT, review decoded JSON, and note clock skew if expiry seems valid but API rejects the token.

Worked example

Example: decode a stale refresh token to confirm `exp` passed five minutes ago, explaining the silent logout in your SPA.

When to use this

  • Support engineers triaging login failures.
  • Developers comparing staging vs production token claims.
  • Security reviews of sample tokens in docs.

Common examples

  • Access token from OAuth login → inspect `exp`, `sub`, and `roles` claims.
  • Staging vs production token → compare `iss` and `aud` without verifying signature locally.
  • Expired session token → confirm `exp` timestamp against current time in the payload view.
  • Staging ID token → confirm `aud` matches your SPA client ID before release.
  • Expired refresh token → verify `exp` claim against local clock skew.

What people search for

  • jwt decoder
  • decode jwt token
  • jwt payload viewer
  • json web token decoder
  • inspect bearer token

Common mistakes

  • Pasting live customer tokens into public chat.
  • Assuming decode implies trust.
  • Ignoring timezone when reading exp.
  • jwt decode without library
  • view jwt roles scope claims
  • decode jwt from authorization header

How it works

Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.

Limitations

Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.

Privacy and file handling

Your data is processed in your browser and is not uploaded to our server.

These pages use the same jwt decoder with guides tailored to specific search intents.

Frequently asked questions

Bearer prefix needed?

Paste only the token string, not the `Bearer ` prefix from Authorization headers.

Encrypted JWE tokens?

This decoder handles signed JWT (JWS) format, not encrypted JWE payloads.

Pretty print JSON?

Output is formatted for reading. Copy claims into your app config as needed.

Page last reviewed: