Utilko logo Utilko
How To Guide

How to Decode JWT Online — Free JWT Decoder (Header, Payload, Signature)

Decode JWT tokens instantly to read the header and payload. Verify the signature algorithm, inspect claims, and check expiry — free, in your browser, nothing logged.

What a JWT actually contains

A JSON Web Token is three Base64URL-encoded blocks separated by dots: header.payload.signature. The first two are JSON objects; the third is a cryptographic signature of the first two. Decoding is not verification — anyone can decode a JWT. Only the server with the secret/public key can prove the signature is valid.

The decoder shows

  • Header — usually just {"alg": "HS256", "typ": "JWT"}. The alg field tells you which signing algorithm was used.
  • Payload (claims) — the actual data. Common claims: sub (subject / user id), iat (issued at), exp (expiration), iss (issuer), aud (audience), plus any custom claims the issuer added.
  • Signature — opaque bytes; the decoder shows them in hex but can't verify without the key.

Human-readable timestamps

JWTs store timestamps as Unix epoch seconds. The JWT decoder converts exp: 1744822800 into 2026-04-16 18:00:00 UTC automatically. It also flags if the token is already expired or not yet valid.

Don't put secrets in JWTs

Because the payload is only Base64-encoded (not encrypted), anyone with the token can read its contents. Never put passwords, full credit card numbers, or anything secret in a JWT. Use JWE (encrypted) if you need encrypted tokens — but almost everyone just uses signed JWTs with non-sensitive claims, and that's the right default.

Common JWT debugging tasks

  • "Why is my API returning 401?" — decode the token and check exp. Expired tokens are the #1 cause.
  • "What user is this request from?"sub is the user ID in the standard claims.
  • "What scopes does this token grant?" — look for scope (space-separated string) or permissions (array).
  • "Is this token signed correctly?" — you need the public key; decoding alone won't tell you.
  • "alg: none" alarm — a JWT with alg: none is unsigned; legacy libraries accepted these. Never trust them.

Runs entirely in-browser

Tokens often contain user IDs and session info. The decoder runs fully client-side — paste a production token without worrying about it being logged. Related tools: Base64 encoder/decoder (JWT parts are Base64URL), hash generator (for HMAC signature verification if you have the secret).

Refresh tokens and rotation

Short-lived JWTs (minutes) with refresh tokens (hours/days) are the standard pattern. When you see an auth flow that gives two tokens, the short one is for API calls and the long one is exchanged for a new short one. Decode both to confirm.

Featured Tools

Try these free tools directly in your browser — no sign-up required.

JWT Decoder

Decode and inspect JSON Web Tokens (JWTs) instantly. View header, payload, and signature without a secret key. Debug authentication tokens safely.

Base64 Encoder / Decoder

Encode text or decode Base64 strings instantly online. Convert between plain text and Base64 encoding for data URLs, authentication headers, and API tokens.

Hash Generator

Generate cryptographic hashes for any text using MD5, SHA-1, SHA-256, SHA-512, and more. Verify data integrity and create checksums instantly online.

URL Encoder / Decoder

Encode or decode URLs and query strings instantly. Convert special characters to percent-encoding and back for safe URL transmission and debugging.
how to decode jwt jwt decoder online jwt.io alternative read jwt payload decode bearer token

Explore 300+ Free Tools

Utilko has tools for developers, writers, designers, students, and everyday users — all free, all browser-based.

Browse All Tools → Go to Home