Free JWT Decoder Online — Inspect Header, Payload & Expiry
Last Updated: May 2026 · 5 min read
JSON Web Tokens (JWTs) are everywhere — API authentication, OAuth 2.0, SSO sessions, mobile app tokens. But JWTs are base64-encoded strings that look like gibberish at first glance. Our free JWT decoder lets you paste any token and instantly inspect its header, payload claims, expiry countdown, and algorithm — right in your browser, with no data ever sent to a server.
What Is a JWT?
A JSON Web Token is a compact, URL-safe token format defined by RFC 7519. It consists of three base64url-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- Part 1 (Header): Token type and signing algorithm (e.g.,
HS256,RS256) - Part 2 (Payload): Claims — user ID, roles, expiry, issuer, etc.
- Part 3 (Signature): Cryptographic signature to verify authenticity (cannot be decoded without the secret key)
Standard JWT Claims Explained
| Claim | Full Name | Description |
|---|---|---|
sub |
Subject | User or entity the token refers to |
iss |
Issuer | Who issued the token (e.g., auth.yourapp.com) |
aud |
Audience | Who the token is intended for |
exp |
Expiration | Unix timestamp when the token expires |
iat |
Issued At | When the token was created |
nbf |
Not Before | Token is invalid before this time |
jti |
JWT ID | Unique identifier for the token |
Common JWT Algorithms
| Algorithm | Type | Key Type |
|---|---|---|
HS256 |
HMAC SHA-256 | Shared secret (symmetric) |
HS384 |
HMAC SHA-384 | Shared secret (symmetric) |
HS512 |
HMAC SHA-512 | Shared secret (symmetric) |
RS256 |
RSA SHA-256 | Public/private key pair (asymmetric) |
RS384 |
RSA SHA-384 | Public/private key pair (asymmetric) |
ES256 |
ECDSA SHA-256 | Elliptic curve key pair |
How to Decode a JWT Free Online
- Copy your JWT token from your browser DevTools (Application → Cookies or Network tab), your API client (Postman, Insomnia), or your app logs
- Go to SolutionGigs Free JWT Decoder
- Paste the token in the input field
- Instantly see:
- Header: algorithm and token type
- Payload: all claims with labels and descriptions
- Expiry: countdown or "expired X time ago"
- Visual parts: color-coded token breakdown
Important: JWT Decoder vs JWT Verifier
Our decoder reads the payload and header — it does not verify the signature. This is intentional and safe for:
- Debugging token contents during development
- Checking why a token has expired
- Inspecting claims before implementing validation logic
- Confirming the correct algorithm is being used
Never use a JWT decoder to determine if a token is trustworthy in production. Always verify the signature server-side using your secret key or public key.
Why JWT Tokens Expire
The exp (expiration) claim is a Unix timestamp. Once the current time passes exp, the token is invalid. Common expiry configurations:
| Token Type | Typical Expiry |
|---|---|
| API access token | 15 minutes – 1 hour |
| OAuth access token | 1 hour |
| Refresh token | 7–30 days |
| Session token | 24 hours |
| Password reset token | 1–15 minutes |
Our free JWT decoder shows exactly how much time remains before your token expires — or how long ago it expired — so you can diagnose authentication errors instantly.
Privacy & Security
All decoding happens in your browser using JavaScript. Your token is never transmitted to our servers, never logged, and never stored. You can safely decode tokens from staging or production environments — just remember the decoded payload may contain sensitive data, so don't share your screen.
Common JWT Debugging Scenarios
401 Unauthorized — why is my token rejected?
Paste it in the decoder. Check if exp has passed, if aud matches your API, or if iss is what your server expects.
"Token expired" error — what went wrong?
The exp claim shows the exact expiry time. Our decoder shows how long ago it expired.
Which algorithm is this token using?
The alg field in the header tells you immediately. If it's none, that's a serious security issue.
My payload is missing a field my app expects The decoder shows every claim in the payload. Compare it with what your backend requires.
Try the Free JWT Decoder Now
SolutionGigs Free JWT Decoder — paste any token, see all claims instantly. No signup, no limits, 100% free.
Frequently Asked Questions
What is a JWT token? A JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information as a JSON object. It has three base64url-encoded sections: header (algorithm), payload (claims), and signature. Widely used for API authentication.
Is it safe to paste a JWT into an online decoder? Our JWT decoder runs entirely in your browser — the token is never sent to any server. You can verify this by checking the browser's network requests. For production secrets, always confirm a tool is fully client-side before using.
What does the exp claim mean in a JWT? The 'exp' claim (expiration) is a Unix timestamp indicating when the token expires. Our decoder converts this to a human-readable date and shows a live countdown timer — useful for debugging authentication issues.
What is the difference between HS256 and RS256? HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification — suitable for single-server systems. RS256 uses an RSA private/public key pair — the private key signs, the public key verifies. RS256 is preferred for distributed microservices.
How do I verify a JWT signature? Our decoder shows the header and payload in readable form. To verify the signature cryptographically, use a backend library: jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java). Signature verification requires the secret or public key.
Mohammed Yaseen
Founder, SolutionGigs
Mohammed has been building developer tools since 2018 and writes about JSON, JWT, regex, SQL, APIs, and web development utilities. LinkedIn →