JWT Inspector & Decoder
JWT Token
Paste a JWT token to decode
● Header
● Payload
● Signature (cannot verify without secret)

JWT Decoder Online Free — Inspect & Decode JSON Web Tokens — Free Online Tool

Decode and inspect JWT tokens online free. View header, payload, signature and all registered claims. Check expiry, iat and nbf. No server contact — 100% browser-based.

Free Forever
No Signup
No Upload
100% Private
Browser-based

Features

Built for real developer workflows. No fluff, just the tools you need.

🔑

Full Token Decoding

Header, payload and signature are decoded and colour-coded — yellow for header, green for payload, red for signature.

Expiry Checking

The exp claim is shown as a human-readable timestamp with a clear "Valid" or "EXPIRED" badge.

📋

All Registered Claims

exp, iat, nbf, iss, sub and aud are automatically extracted and displayed with plain-English labels.

Instant Decode

Paste a token and decoding begins immediately. No button needed.

🔒

Zero Server Contact

Your JWT tokens never leave your browser. Decoding is pure base64url JavaScript — no API calls.

📊

Algorithm & Type

The algorithm (HS256, RS256, etc.) and token type are shown at the top of the status bar after decoding.

How to use

Get results in seconds — no account, no file upload required.

1

Paste your JWT token

Paste the complete JWT (three base64url parts separated by dots) into the input panel.

2

Review header and payload

The algorithm, token type and all payload claims are shown in colour-coded JSON panels.

3

Check expiry

The registered claims section shows expiry in your local timezone with a Valid or EXPIRED badge.

More free tools

Every tool at itsseven is free, private and browser-based.

{}JSON FormatterBeautify & minify JSONJSON ValidatorSyntax & schema checkerDiff CheckerCompare text & codeYAML ConverterYAML ↔ JSONb64Base64 ToolEncode & decode Base64#Hash GeneratorMD5, SHA-256, SHA-512🔗URL EncoderEncode & parse URLs.*Regex TesterLive regex debugger

Frequently asked questions

What is a JWT?
A JSON Web Token is a compact URL-safe token format for securely representing claims. It consists of three base64url-encoded parts: header, payload and signature.
Can this verify JWT signatures?
No. Signature verification requires the secret key or public key. This tool decodes the readable parts only — it cannot verify authenticity.
Is it safe to paste production JWTs?
Decoding is local and private. However, JWTs are bearer tokens — treat them like passwords. Avoid pasting production tokens into online tools when possible.
What does exp mean?
exp is the expiration time — a Unix timestamp after which the token is no longer valid. This tool converts it to human-readable format and shows whether it has expired.
What is base64url encoding?
JWT uses a URL-safe variant of Base64 that replaces + with - and / with _. This makes tokens safe to use directly in URLs and HTTP headers.
Why is the signature red?
The red colour matches the JWT colour convention used in jwt.io. It signals caution — the signature cannot be verified without the secret key.