JWT decoder
Inspect a token before you chase the wrong auth bug. Decode headers, claims, algorithms, signatures, and expiry state.
Encoded token
Decoded output
What is JWT?
JSON Web Token is a compact format for carrying claims between systems. In day-to-day debugging, the useful questions are usually simple: who issued the token, who is it for, what permissions does it claim, which algorithm signed it, and has it expired?
Header
Shows token metadata such as typ, alg, and sometimes kid, which points to the key used by the issuer.
Payload
Contains claims such as sub, iss, aud, exp, iat, roles, tenant IDs, or application-specific authorization data.
Signature
Protects the token against tampering when the server verifies it with the expected secret or public key.
Expiry
The exp claim is often the fastest clue in auth debugging. A well-formed token is still useless when it is already outside its validity window.
JWT FAQ
Are JWTs encrypted?
Usually not. Standard JWTs are encoded, not encrypted, which means anyone who has the token can inspect the header and payload. The signature only protects integrity.
Does decoding a JWT verify that it is trusted?
No. Decoding only reveals the token contents. Trust requires signature verification against the expected secret or public key, plus checks for issuer, audience, expiry, and application rules.
What happens when a token expires?
If the exp claim is in the past, the server should reject the token and the client must reauthenticate or request a new access token through the correct refresh flow.
Should I paste production tokens into a decoder?
Treat live tokens like credentials. Use short-lived test tokens when practical, and avoid pasting sensitive production access tokens into any tool you do not control.