Decode and Analyze JWT Tokens

Advanced8 minutes6 steps

Learn to decode JWT (JSON Web Tokens), inspect header/payload claims, check expiration times, and debug authentication issues.

What You Need

A JWT token to analyze
Basic understanding of authentication concepts

Open the JWT Decoder

Navigate to OnlineTools4Free JWT Decoder. The tool splits any JWT into its three parts: header, payload, and signature.

Paste Your JWT

Copy a JWT from your browser DevTools (Application > Cookies or Network > Authorization header) or from an API response. Paste the entire token — it is a long string of three base64 segments separated by dots.

JWTs are not encrypted — they are only base64-encoded. Never put sensitive data in a JWT payload because anyone can decode it.

Inspect the Header

The header shows the signing algorithm (HS256, RS256, ES256) and token type. HS256 uses a shared secret (symmetric). RS256 uses RSA public/private keys (asymmetric, more common in production). The algorithm tells you how to verify the signature.

Analyze the Payload Claims

The payload contains claims — key-value pairs with user data and metadata. Standard claims include: sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience). Custom claims contain application-specific data like roles, permissions, and email.

Check the exp claim first when debugging "token expired" errors. The value is a Unix timestamp — the tool converts it to a readable date.

Check Expiration

The tool highlights whether the token is currently valid or expired based on the exp claim. Compare iat (issued at) and exp (expiration) to see the token's lifetime. Short-lived tokens (15-60 minutes) are more secure.

Understand Signature Verification

The third segment is the signature, created by signing the header + payload with a secret key. The decoder shows the signature but cannot verify it without the secret key. In production, your server verifies the signature to ensure the token has not been tampered with.

Ready to Try It?

Open the tool and follow the steps above. It is free, private, and works in your browser.

Try It Now

Frequently Asked Questions

Is it safe to paste my JWT into this tool?

Yes, because the tool runs entirely in your browser. The JWT is never sent to any server. However, be aware that JWTs are not encrypted — the payload is readable by anyone who has the token. Never share JWTs publicly.

What is the difference between HS256 and RS256?

HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify. RS256 is preferred for distributed systems because the public key can be shared without compromising security.

Why is my token expired?

Check the exp claim — it is a Unix timestamp indicating when the token becomes invalid. If it is in the past, the token is expired. Your application should use a refresh token to obtain a new access token before or after expiration.

Can I modify a JWT and use it?

You can modify the payload, but the signature will no longer be valid. The server will reject the tampered token during signature verification. This is the security mechanism that prevents JWT forgery.

Decode and Analyze JWT Tokens

What You Need

Open the JWT Decoder

Paste Your JWT

Inspect the Header

Analyze the Payload Claims

Check Expiration

Understand Signature Verification

Ready to Try It?

Frequently Asked Questions

Related Tutorials

Test Regex Patterns Step by Step

Convert Between JSON, YAML, and XML

Decode and Analyze JWT Tokens

What You Need

Open the JWT Decoder

Paste Your JWT

Inspect the Header

Analyze the Payload Claims

Check Expiration

Understand Signature Verification

Ready to Try It?

Frequently Asked Questions

Related Tutorials

Test Regex Patterns Step by Step

Convert Between JSON, YAML, and XML