DevBolt
Processed in your browser. Your data never leaves your device.

How do I decode a JWT token online?

Paste your JWT token and instantly see its decoded header and payload as formatted JSON. The tool parses all standard claims (exp, iat, iss, sub, aud) and shows human-readable expiration dates. Your token is decoded entirely in the browser — it is never sent to any server.

Decode a JWT token
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
← Back to tools

JWT Decoder

Decode and inspect JSON Web Tokens. View header, payload, and expiration status.

Tips & Best Practices

Security Note

JWTs are not encrypted — anyone can read the payload

A JWT is just Base64url-encoded JSON. The signature prevents tampering but does not hide the contents. Never store sensitive data (passwords, SSNs, credit card numbers) in JWT claims. If you need encrypted tokens, use JWE (JSON Web Encryption) instead.

Common Pitfall

The 'none' algorithm attack is still exploited

Some JWT libraries accept alg: "none", which means no signature verification. Attackers forge tokens by changing the algorithm to "none" and removing the signature. Always validate that the algorithm matches your expected value (e.g., RS256) and reject 'none' explicitly.

Pro Tip

Set short expiration times and use refresh tokens

Access tokens should expire in 5-15 minutes, not hours or days. A stolen JWT cannot be revoked (unlike session IDs) — short expiration limits the damage window. Use a refresh token (stored in an httpOnly cookie) to silently issue new access tokens.

Real-World Example

Decode the three parts: Header.Payload.Signature

Split the JWT at the dots. The header tells you the algorithm (RS256, HS256). The payload contains claims — iss (issuer), sub (subject), exp (expiration as Unix timestamp), iat (issued at). The signature is a cryptographic hash that proves the header and payload haven't been modified.

Frequently Asked Questions

How do I decode a JWT token?
Paste your JWT into the input field and it decodes instantly, showing the header, payload, and signature as formatted JSON. The header reveals the signing algorithm (HS256, RS256, etc.) and token type. The payload contains the claims — issuer, subject, audience, expiration, and any custom data. DevBolt's decoder color-codes the three JWT sections (header.payload.signature) and automatically converts Unix timestamps to human-readable dates. No server calls are made — decoding happens entirely in your browser, making it safe for tokens containing user data.
Is it safe to paste JWTs into an online decoder?
It depends on the tool. DevBolt's JWT Decoder runs entirely client-side — your token never leaves your browser and no API calls are made. You can verify this in your browser's Network tab. This makes it safe for decoding production tokens. However, server-based JWT decoders send your token to a remote server for processing, which could expose the payload contents including user IDs, emails, roles, and permissions. Always check whether a tool is client-side before pasting sensitive JWTs. Note that JWT payloads are only Base64-encoded, not encrypted — anyone with the token can read the payload.
What is the difference between HS256 and RS256 JWT algorithms?
HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification. It is simpler but requires distributing the secret to every service that needs to verify tokens. RS256 (RSA-SHA256) uses asymmetric cryptography — a private key signs tokens and a public key verifies them. RS256 is preferred for distributed systems because only the auth server needs the private key while any service can verify tokens using the freely shareable public key. HS256 is faster and suitable for single-service applications. Most modern auth providers (Auth0, Okta, Firebase) default to RS256.
How do I check if a JWT has expired?
Look at the 'exp' (expiration) claim in the decoded payload. This value is a Unix timestamp representing when the token expires. DevBolt's decoder automatically converts this to a readable date and highlights whether the token is currently valid or expired. You can also check the 'iat' (issued at) and 'nbf' (not before) claims. In code, compare the exp value against the current Unix time: if Date.now() / 1000 > exp, the token has expired. Always validate expiration server-side — never trust client-side checks alone for security decisions.

Related Inspect Tools

{ }

JSON Visualizer

Visualize JSON as an interactive tree — collapsible nodes, search, path copy, depth controls, and data statistics

GDV

Git Diff Viewer

Paste unified diff output from git diff and view it with syntax highlighting, line numbers, and side-by-side or inline display

ZIP

Compression Tester

Test and compare Brotli, Gzip, and Deflate compression ratios for text content — sizes, savings, and speed

TS6

TypeScript 6.0 Migration Checker

Analyze your tsconfig.json for TS 6.0 breaking changes, deprecated options, new defaults, and get a readiness grade with fixes