Skip to content
T
Tools.Town
Free Online Tools for Everyone
{ alg: HS256 }

JWT Decoder

100% Free

Paste any JSON Web Token to decode header, payload claims, and inspect expiry status — 100% client-side, signature never leaves the browser.

Real-time
Client-Side
Expiry Check
Encoded JWT

Decoding is purely client-side. We do NOT verify the signature — that requires the secret/public key.

Embed This Tool

Easy to Embed

Add JWT Decoder to your website or blog in seconds.

  • Responsive design
  • Lightweight & fast
  • No backend required
  • Always up-to-date 
<iframe
  src="https://tools.town/embed/jwt-decoder/"
  width="100%"
  height="600"
  style="border:none; border-radius:12px;"
  loading="lazy"
  title="JWT Decoder">
</iframe>

Share This Tool

Share Instantly

Share JWT Decoder with anyone — no login required.

  • Shareable link
  • No login required
  • Works on any device
  • No account needed

Share via

Advertisement

How to Use

  1. 1 Paste your JWT (or click 'Load sample' to try the canonical jwt.io example)
  2. 2 See decoded header (algorithm, type, key id)
  3. 3 See decoded payload with all standard and custom claims
  4. 4 View derived metadata: issued-at, expiry, time-to-live
  5. 5 Tokens are flagged red when expired or not-yet-valid

Features

  • Instant base64url decode of header + payload
  • Surfaces all standard claims (iss, sub, aud, exp, nbf, iat, jti)
  • Pretty-prints custom claims with syntax highlighting
  • Auto-detects expired tokens with relative-time display
  • 100% client-side — your token never leaves the browser
  • Does NOT verify signatures (use jwt-generator for that)

Why it Matters

Decoding a JWT in the terminal is fiddly — you have to base64url-decode each segment by hand. This tool does it instantly and surfaces the claims that actually matter for debugging: when the token expires, who issued it, what scopes it grants. Critical when you're chasing a 401 in production.

★★★★★

Use Cases

Debug Auth Issues

Find out why your token gets rejected — expired? wrong audience?

Check Expiry

See exactly when a session token will expire

Inspect Custom Claims

Verify roles, tenant IDs, and feature flags inside a token

Frequently Asked Questions

Does this verify the signature?
No — verification requires the secret (HMAC) or public key (RSA/EC) which is server-side. Use the JWT Generator for round-trip HMAC verify in the browser.
Is it safe to paste production tokens here?
Yes — decoding happens entirely in your browser. We never send the token to any server. That said, treat tokens as secrets and don't paste them into any tool you don't trust.
Why is my token shown as 'expired' even though I just got it?
Check your computer's clock — JWT expiry is compared against your local time. A clock skew of > 5 min between your machine and the issuer can cause false expiry.
What's the difference between iat, nbf, and exp?
`iat` = issued at, `nbf` = not before (token isn't valid until this time), `exp` = expires at. All Unix timestamps in seconds.
📖

Want to understand the math?

Browse all guides →
How to Use JWT Decoder
jwt

How to Use JWT Decoder — Complete Guide

Learn how to decode and inspect JWT tokens to read headers, payloads, and expiry claims using Tools.Town's free JWT Decoder.

8 May 2026

5 min read

Related Tools You Might Like

UUID Generator

Generate cryptographically random RFC 4122 v4 UUIDs — single, bulk (up to 1000), with format options. 100% client-side.

Base64 Encoder/Decoder

Encode plain text to Base64 or decode Base64 back to text — Unicode-safe, instant, browser-only.

JWT Generator

Sign HMAC JWTs (HS256/HS384/HS512) for API testing — secret, payload, algorithm, signed token. Pairs with the JWT Decoder for round-trip verify.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly. Client-side.

SHA-256 Hash Generator

Generate SHA-256 hashes and HMAC-SHA256 signatures — the secure standard for file integrity, JWT signing, and API request signatures.

Browse more free tools
More Developer Tools All categories