Util Hub.io
← Back to Tools

JWT Decoder

Decode JWT tokens instantly. View header, payload, claims & expiration status. 100% client-side.

Standard JWT Claims Reference

ClaimNameDescription
iss IssuerWho created and signed the token
sub SubjectWho the token is about (usually a user ID)
aud AudienceIntended recipient of the token
exp ExpirationUnix timestamp when the token expires
nbf Not BeforeToken is invalid before this time
iat Issued AtWhen the token was created
jti JWT IDUnique identifier for the token

JWT Signing Algorithms

HS256
HMAC with SHA-256 — shared secret key
RS256
RSA with SHA-256 — public/private key pair
ES256
ECDSA with P-256 curve — compact signatures
HS384
HMAC with SHA-384
RS384
RSA with SHA-384
EdDSA
Edwards-curve DSA — modern, fast

🔒 Your JWT never leaves your browser — all decoding happens locally

Related Tools

JSON Formatter & ValidatorFormat and validate JSON online free.Base64 Encoder & DecoderEncode text to Base64 or decode Base64 to plain text instantly.UUID Generator (v4)Generate random UUID v4 identifiers instantly.Hash GeneratorCompute MD5, SHA-1, and SHA-256 hashes from any text.URL Encoder & DecoderEncode or decode URLs and query strings instantly.Regex TesterTest and debug regular expressions with real-time matching.

Free JWT Decoder — Decode & Inspect JSON Web Tokens

Decode any JSON Web Token (JWT) instantly and inspect its header, payload, and signature — right in your browser. Our free JWT decoder automatically parses the three parts of your token, displays the claims in formatted JSON with syntax highlighting, and checks the expiration status in real-time.

See standard claims like issuer (iss), subject (sub), audience (aud), expiration (exp), and issued-at (iat) clearly labeled with human-readable dates. Critical for developers debugging authentication flows, API integrations, and OAuth implementations. Your JWT never leaves your browser — all decoding happens locally using Base64URL parsing. No server, no logging, no signup.

How to use JWT Decoder

  • Paste your JWT — Copy your JSON Web Token and paste it into the input field. The token should have three parts separated by dots (header.payload.signature). The tool validates the format instantly.
  • View decoded header — See the algorithm (HS256, RS256, ES256), token type, and key ID. The header tells you how the token is signed and which key to use for verification.
  • Inspect the payload — All claims are displayed in formatted JSON. Standard claims show human-readable labels: "exp: 1740000000" becomes a readable UTC date. Custom claims from your application are shown as-is.
  • Check expiration — A green "Valid" or red "Expired" badge shows the token's current status with a countdown. The issued-at (iat) timestamp shows when the token was created.

Features

  • Auto-Decode — JWT is decoded instantly as you paste it, showing header and payload in formatted JSON with syntax highlighting.
  • Expiration Check — Real-time Valid/Expired badge with countdown showing when the token expires or how long ago it expired.
  • Claims Table — All payload claims displayed in a table with descriptions. Standard claims (iss, sub, aud, exp, iat) are labeled automatically.
  • Syntax Highlighting — Color-coded JSON output with keys, strings, numbers, and booleans in different colors for easy reading.
  • Copy Per Section — Copy decoded header or payload JSON separately with one click.
  • 100% Client-Side — Your JWT token never leaves your browser. All decoding uses local Base64URL parsing — no server requests.

Frequently Asked Questions

What is a JWT (JSON Web Token)?

JWT is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe JSON object. It has three parts separated by dots: Header (algorithm and type), Payload (claims/data about the user), and Signature (verifies the token hasn't been tampered with). JWTs are Base64-encoded, not encrypted — anyone can decode and read the header and payload, which is why you should never store sensitive information like passwords in a JWT.

Is it safe to paste my JWT into an online decoder?

On UtilHub, yes — all decoding happens 100% in your browser using JavaScript's built-in atob() function for Base64 decoding. No data is ever sent to any server. However, be cautious with other online tools. JWTs often serve as access tokens that grant permissions to APIs and services. Never paste production tokens into tools you don't trust.

What are the standard JWT claims?

The JWT specification defines 7 registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications also add custom claims like "role", "email", "permissions", and "scope" for application-specific data.

What is the difference between decoding and verifying a JWT?

Decoding simply reads the Base64-encoded header and payload — anyone can do this without a secret key. Verifying checks that the signature is valid — confirming the token wasn't tampered with and was issued by a trusted source. Verification requires the signing key: a shared secret for HMAC algorithms (HS256) or a public key for RSA/ECDSA algorithms (RS256, ES256). Always verify JWTs on your server before trusting their contents.