Skip to main content
ByteKiwi
Home JWT Decoder

JWT Decoder

Online JWT decoder. Decode any JWT and inspect its header, payload, and claims - no secret needed. Displays exp, iat, and nbf as readable timestamps.

Paste a JWT above to decode it

Header, payload and claims are decoded instantly - no secret required

Features

Everything you need, nothing you don’t.

  • Decodes header and payload from any JWT - HS256, RS256, ES256, and more
  • Highlights exp, iat, and nbf claims with human-readable timestamps
  • Shows token expiry status - warns if the token has expired or is not yet active
  • Displays the raw Base64url signature for reference
  • One-click copy for header, payload, or individual claim values
  • All decoding happens in your browser - no token ever leaves your machine

Related Tools

Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64url-encoded segments separated by dots: a header describing the signing algorithm, a payload carrying the claims, and a signature used to verify integrity. JWTs are commonly used for authentication, authorization, and information exchange in APIs.

Can I verify a JWT signature with this tool?

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256/ES256), which you should never paste into a browser tool. This decoder only reads the header and payload - it confirms the structure is valid but does not verify cryptographic integrity. Always verify signatures server-side.

What do exp, iat, and nbf mean?

These are registered JWT claims defined in RFC 7519. exp (expiration time) is a Unix timestamp after which the token must be rejected. iat (issued at) is the Unix timestamp when the token was created. nbf (not before) is a Unix timestamp before which the token must not be accepted. This tool displays each as both a Unix timestamp and a human-readable ISO 8601 date.

Is this tool safe to use with real JWTs?

For non-sensitive tokens in development or debugging, yes - all decoding runs entirely in your browser. However, JWTs often carry sensitive claims like user IDs, roles, or email addresses. For production tokens containing sensitive data, prefer a local CLI tool such as jwt-cli or decode manually with base64 in your terminal.

Why does my JWT show as expired?

The exp claim is compared against your browser's current system clock. If the token's expiry timestamp is in the past relative to your local time, the tool flags it as expired. This is a client-side check only - server-side validation may use a different clock or allow a leeway window.

What JWT algorithms are supported?

All algorithms are supported for decoding the payload - HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, and others. The algorithm is listed in the header under the alg key. Since this tool only decodes and does not verify, the algorithm has no effect on the output.

How do I decode a JWT in Python?

To decode without verifying the signature (inspection only), use PyJWT with verification disabled:

import jwt

token = 'eyJhbGci...'

# Decode without signature verification
payload = jwt.decode(token, options={'verify_signature': False})
print(payload)

# Decode and verify (requires the secret or public key)
payload = jwt.decode(token, 'your-secret', algorithms=['HS256'])

For quick inspection during development, paste the token into the tool above - no code required.

What is jwt.ms - the Microsoft JWT decoder?

jwt.ms is a JWT decoder maintained by Microsoft, commonly used when debugging Azure Active Directory and Microsoft Entra ID tokens. It decodes the token client-side and annotates claim names with their Microsoft-specific meanings. ByteKiwi's JWT decoder works the same way - all decoding runs in your browser - and supports any JWT regardless of the issuer.

Decoding JWTs in Code

Programmatic JWT decoding in common frameworks and languages.

JWT Decoder in Spring Boot

For inspection without signature verification, decode the Base64url payload segment directly using Java's standard library:

import java.util.Base64;

String token = "eyJhbGci...";
String[] parts = token.split("\\.");

// Decode the payload (middle segment)
byte[] decoded = Base64.getUrlDecoder().decode(parts[1]);
String payloadJson = new String(decoded);
// payloadJson is now a readable JSON string

// For production - decode and verify with Spring Security:
// NimbusJwtDecoder.withJwkSetUri("https://issuer/.well-known/jwks.json").build()

Decoding Ping Identity JWTs

JWTs issued by Ping Identity (PingFederate, PingOne, PingAccess) follow standard RFC 7519 format. Paste any Ping-issued token above to inspect its header, payload, and claims. The decoder works with tokens from any identity provider including Ping, Okta, Auth0, Microsoft Entra ID, and AWS Cognito.

JWT Decoder and Encoder

This tool decodes and inspects JWTs. JWT signing (encoding) requires a private key or secret that should never be handled client-side. To create signed tokens programmatically, use: jsonwebtoken in Node.js, PyJWT in Python, jjwt in Java, or System.IdentityModel.Tokens.Jwt in .NET.