Free JWT Decoder

A JWT decoder transforms the cryptic Base64-encoded segments of a JSON Web Token into readable JSON and human-friendly dates. Copy any JWT, paste it in, and instantly see what claims it contains—perfect for debugging authentication, understanding token payloads, and checking expiration without needing the secret key.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Ada Lovelace",
  "iat": 1516239022
}

iat: Thu, 18 Jan 2018 01:30:22 GMT (UTC)

Signature is NOT verified. This tool only decodes the token (which anyone can do — JWT payloads are not encrypted). Verifying authenticity requires the secret or public key, so never trust a JWT's contents based on decoding alone. Decoding happens in your browser; nothing is uploaded.

Quick answer

Paste a JWT into the decoder and it base64url-decodes the header and payload into readable JSON, then converts Unix timestamps (exp, iat, nbf) into human-readable dates and times. The signature is NOT verified (you need the secret key for that)—this tool only reveals what data the token contains.

Formula & method

A JWT has three parts separated by dots: header.payload.signature. The decoder base64url-decodes the first two parts and parses them as JSON. When it encounters timestamp fields (exp = expiration, iat = issued-at, nbf = not-before), it converts Unix epoch seconds into readable ISO 8601 or local datetime. The signature part is displayed as-is but not validated, since signature verification requires the secret or public key.

Examples

Example 1: Basic auth token with expiration

Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZXhwIjoxNzM1Njg5NjAwLCJpYXQiOjE3MDQxNTM2MDB9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Result: Header: {"alg":"HS256","typ":"JWT"} Payload: {"sub":"user123","exp":1735689600,"iat":1704153600} Decoded: exp = January 1, 2025 00:00:00 UTC, iat = January 1, 2024 00:00:00 UTC
Why: The header shows HS256 signing algorithm. The payload contains a user ID and timestamps. The decoder converts Unix seconds (1735689600) into readable dates—instantly showing whether the token has expired.

Example 2: Token with nbf (not-before) claim

Input: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbjI4OIsibmJmIjoxNzA0MTUzNjAwLCJleHAiOjE3MzU2ODk2MDB9.signature
Result: Header: {"alg":"RS256","typ":"JWT"} Payload: {"sub":"admin288","nbf":1704153600,"exp":1735689600} Decoded: nbf = January 1, 2024 00:00:00 UTC (token not valid before this date), exp = January 1, 2025 00:00:00 UTC
Why: The nbf claim means the token won't be considered valid before January 1, 2024. This is useful for tokens you want to issue now but activate later. The decoder shows you at a glance whether a token is usable right now.

Example 3: Checking if a token has expired

Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyNDU2IiwiZXhwIjoxNzA0MTUzNTk5fQ.sig
Result: Header: {"alg":"HS256","typ":"JWT"} Payload: {"sub":"user456","exp":1704153599} Decoded: exp = January 1, 2024 00:00:00 UTC (EXPIRED as of June 6, 2026)
Why: The expiration timestamp 1704153599 is January 1, 2024—long past. The decoder immediately flags this as expired and shows how old the token is, saving you time debugging why authentication failed.

When to use this tool

Debugging authentication failures: paste the token to see the actual claims, expiration, and user ID instead of guessing what went wrong.
Checking if a token is expired before making an API call: instantly compare the exp timestamp to the current time without needing server-side validation.
Understanding third-party token structure: when integrating OAuth or SSO, decode the JWT you receive to verify it contains the claims your app expects.

Common mistakes

Expecting the decoder to verify the signature: it won't. Signature verification requires the signing secret (for HMAC) or public key (for RSA/ECDSA). The decoder only reads the claims.
Pasting a malformed token with fewer than two dots: a valid JWT must have three parts (header.payload.signature). If you paste two parts, the decoder will fail because the structure is incomplete.
Assuming the timestamp is in milliseconds: JWT timestamps (exp, iat, nbf) are always in Unix epoch seconds, not milliseconds. A token expiring in year 3000 uses a timestamp like 32503680000, not 32503680000000.

Frequently asked questions

Is my JWT secure if I decode it here?

Yes—this decoder runs 100% in your browser, so your token never leaves your computer. Base64url encoding is not encryption, so decoding a JWT doesn't expose secrets. The signature portion (which requires a secret key to generate) can be read but not faked.

Can you verify the signature for me?

No. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA/EdDSA), which is secret by design. You must verify signatures on your backend or in a library that has access to the key. This tool only decodes and reads.

How do I know if a token is still valid?

The decoder shows you the exp (expiration), iat (issued-at), and nbf (not-before) timestamps as readable dates. Compare the exp date to today: if it's in the past, the token is expired and servers will reject it.

What if the JWT is invalid or corrupted?

If the JWT is malformed (fewer than three parts, invalid Base64url characters, or non-JSON payload), the decoder will show an error. Fix the token structure and try again.

Which timestamp claims does the decoder humanize?

Three standard claims: exp (expiration time), iat (issued at), and nbf (not before). All are Unix epoch seconds. The decoder also displays the current time so you can see at a glance if the token is valid now.

Can I use this for OAuth tokens from Google, GitHub, or Auth0?

Yes. As long as you have the JWT (ID token or access token), paste it in. You'll see the claims those providers issued—email, user ID, permissions, etc. Just remember the signature is not verified.

Sources & references

External references open in a new tab. We are independent and not affiliated with these organizations.

✓ Free to use
✓ No sign-up required
✓ Runs entirely in your browser — nothing is uploaded.
✓ Formula and method shown above

Last updated: 2026-06-06How we calculate Report a correction Disclaimer

Provided “as is” for general information only — results may be inaccurate, so verify before you rely on them. No warranty; use at your own risk.

Built and reviewed by HIFreeTools against the formula shown above and any authoritative references cited on this page. See our methodology and editorial standards.

Related tools

Embed this tool on your site

Free to embed, no sign-up. Paste this code where you want the jwt decoder to appear:

<iframe src="https://hifreetools.com/embed/jwt-decoder" title="JWT Decoder by HIFreeTools" width="100%" height="520" style="border:1px solid #e5e5e5;border-radius:8px;max-width:680px" loading="lazy"></iframe>
<p style="font:13px/1.4 system-ui,sans-serif;margin:6px 0 0"><a href="https://hifreetools.com/developer/jwt-decoder" target="_blank" rel="noopener">JWT Decoder</a> by <a href="https://hifreetools.com" target="_blank" rel="noopener">HIFreeTools</a></p>