Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Converters & Encoders
  3. JWT Decoder
Add to favorites

JWT Decoder

Decode and inspect JSON Web Tokens (JWT). View header, payload, claims, expiration status, and signature without needing the secret key

Paste a JSON Web Token and instantly see its decoded header, payload, and signature. The decoder parses the three Base64URL-encoded segments and presents them as formatted JSON, making it easy to inspect claims, expiration times, and signing algorithms without writing any code.

Runs in your browser and files never uploadedMore converters & encodersJump to full guide

Related reading

  • Understanding JWT Tokens: Structure, Security, and Validation12 min read

Initializing in your browser…

You might also like

JWT Builder

Create and sign JSON Web Tokens (JWT) with custom claims. Support for HS256, HS384, HS512 HMAC algorithms

Base64 Encoder/Decoder

Encode and decode text or files to/from Base64

URL Encoder/Decoder

URL encode or decode text for safe use in URLs

JWT Decoder: a worked example

An API call returns 401 and you need to see whether the token your client sent is expired or missing a scope.

JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JWT Decoder produces

Decoded

Header:  { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
iat → 2018-01-18 01:30:22 UTC

A JWT is three base64url segments, header.payload.signature, so the claims are readable without the secret (the tool also renders `iat`/`exp` as human dates so you can spot expiry instantly). Decoding does not verify the signature, so never trust an unverified token server-side: anyone can read, and forge, the unsigned parts.

What is JWT Decoder?

Paste a JSON Web Token and instantly see its decoded header, payload, and signature. The decoder parses the three Base64URL-encoded segments and presents them as formatted JSON, making it easy to inspect claims, expiration times, and signing algorithms without writing any code.

How to use

  1. 1Paste the full JWT string (header.payload.signature).
  2. 2View the decoded header and payload as formatted JSON.
  3. 3Check the expiration (exp) and issued-at (iat) timestamps, shown in human-readable form.
  4. 4Copy individual sections as needed.

Key features

  • Decodes header and payload to formatted JSON
  • Converts exp, iat, and nbf timestamps to readable dates
  • Identifies the signing algorithm (HS256, RS256, ES256, etc.)
  • Syntax-highlighted JSON output
  • Detects and flags expired tokens
  • Handles both compact and non-compact JWT formats

Common use cases

  • API debugging

    Inspect the claims inside an access token to troubleshoot authentication or authorization issues.

  • Token expiration checks

    Quickly see when a token was issued and when it expires without decoding manually.

  • Security auditing

    Review what data is stored in a JWT to ensure no sensitive information is exposed in the payload.

  • Learning and teaching

    Visualize the JWT structure to understand how claims-based authentication works.

How it works

A JWT consists of three parts separated by dots: the header (which specifies the algorithm and token type), the payload (which carries the claims, data like user ID, roles, and expiration), and the signature (which verifies the token has not been tampered with). This tool decodes the first two parts, which are simply Base64URL-encoded JSON. It does not verify the signature, since that requires the signing key.

Frequently asked questions

Does this tool verify the JWT signature?

No. Signature verification requires the secret key or public key, which this client-side tool does not have. It only decodes the header and payload.

Is it safe to paste my JWT here?

Yes. Everything runs in your browser. The token is never sent to any server.

What do the "exp" and "iat" fields mean?

"exp" is the expiration time and "iat" is the issued-at time. Both are Unix timestamps representing seconds since January 1, 1970.

Private by design

Conversions run on your device in JavaScript. The values you enter are never sent over the network.