JWT parser

Parse and decode your JSON Web Token

All computation runs locally in your browser

Last updated: February 4, 2026

JWT to decode

Header
alg(Algorithm)	HS256(HMAC using SHA-256)
typ(Type)	JWT
Payload
sub(Subject)	1234567890
name(Full name)	John Doe
iat(Issued At)	1516239022(1/18/2018 1:30:22 AM)

Introduction / overview

A JSON Web Token (JWT) is a compact string that carries claims (pieces of information) between systems. It’s usually used as a bearer token: if a client presents it, the server decides what the client is allowed to do.

What does this JWT Parser help you do?

Decode the Header and Payload instantly into readable JSON fields.
Sanity-check standard claims like $exp$ (expiration), $iat$ (issued at), and $aud$ (audience).
Spot common integration issues: wrong algorithm, missing roles, or tokens that are already expired.

Who typically uses it?

Backend engineers debugging auth middleware and API gateways.
Frontend developers checking what user profile data is inside an ID token.
Security teams doing quick triage: “Is this token expired or mis-issued?”

This parser decodes JWTs for inspection. It does not validate the signature. For signing/verification experiments, you might also use our HMAC Generator.

How to Use / Quick Start Guide

1Paste your token into the JWT to decode box.
2Review the decoded Header (algorithm, type) and Payload (claims).
3Use the expiration fields to decide whether the token is still usable.

Example 1: Is the token expired right now?

Suppose the token has $exp=1700003600$ and “now” is $t_{now}=1700000000$ . The rule of thumb is:

\text{Expired if }\ t_{now} > exp

t_{now} > exp

\ ?

1700000000 > 1700003600

\Rightarrow

\text{false (not expired)}

So the token is still valid by time, but you should also check audience, issuer, and signature on the server.

Example 2: How long until it expires?

With the same values, the remaining time is:

\Delta t = exp - t_{now}

=

1700003600 - 1700000000

=

3600\ \mathrm{s}

$3600\ \mathrm{s}$ is exactly $1\ \mathrm{hour}$ . If your system caches tokens, this kind of quick check helps you pick a sensible refresh window.

Real-World Examples / Use Cases

API returns 401 unexpectedly

Background: A client sends a bearer token, but the API rejects it.

Input: paste the token and inspect $exp$ , $aud$ , and $iss$ .

Result: if $exp$ is in the past or $aud$ targets a different service, you’ve found your culprit.

Missing roles / permissions

Background: The UI shows “Forbidden” even after login.

Input: look for claims like $roles$ , $groups$ , or $scope$ .

Result: if the claim set is empty, the identity provider may not be configured to include them.

Debugging tokens from logs

Background: Support gives you a token string from a server log.

Input: paste it to quickly read the user subject $sub$ and the issued time $iat$ .

Result: you can confirm whether the token matches the reported user and timeframe.

Quick privacy sanity check

Background: A team wonders whether a token contains sensitive data.

Input: inspect payload claims and look for emails, phone numbers, or internal IDs.

Result: remember a JWT is usually only encoded, not encrypted—anything in the payload can often be read.

Need to check whether a string is Base64 (or decode an intermediate value)? Try our Base64 String Encoder/Decoder.

Common Scenarios / When to Use

Integration debugging

You need a fast answer: is the token malformed, expired, or missing a key claim?

Expiry triage

Users are getting logged out. Check exp/iat and reason about token lifetimes.

Security review

Confirm you are not leaking personal data or internal secrets in plain payload claims.

Gateway / middleware

Inspect alg/typ/aud/iss when a reverse proxy or middleware rejects tokens.

User identity confirmation

Confirm the subject and other identifiers match the reported account.

Key rotation planning

If you see kid in the header, you can validate whether rotation metadata is present.

When it may not be enough

This tool is best for decoding and quick inspection. If you need cryptographic verification (signature validation), you must verify the JWT against the correct secret/public key in your backend.

Tips & Best Practices

Treat payload as readable: A JWT is often only encoded. Assume anyone who gets the token can read the payload claims.
Always check time claims together: Look at exp, iat, and nbf as a set. A token can be unexpired but not yet valid if nbf is in the future.
Validate audience and issuer: Even a correctly signed token should be rejected if aud/iss do not match your service.
Prefer short lifetimes: Short expiration windows reduce damage if a token leaks. Use refresh tokens for long sessions.

If you’re debugging authorization headers end-to-end, you may also like our Basic Auth Generator.

Calculation Method / Formula Explanation

A classic JWT has three dot-separated parts:

\mathrm{JWT}

=

\mathrm{Base64Url}(\mathrm{Header})

.

\mathrm{Base64Url}(\mathrm{Payload})

.

\mathrm{Signature}

Base64Url decoding (high level)

H=\mathrm{JSON}(\mathrm{B64UrlDecode}(p_0))

,

P=\mathrm{JSON}(\mathrm{B64UrlDecode}(p_1))

Where $p_0$ is the first segment (header), and $p_1$ is the second segment (payload). The signature segment is not JSON.

Important: decoding is not verification

This parser can read the payload, but it cannot prove authenticity. Signature verification depends on the algorithm: for example, $\mathrm{HS256}$ uses a shared secret, while $\mathrm{RS256}$ uses a public/private key pair.

Related Concepts / Background Info

JOSE header

The first segment. It often includes typ, alg, and sometimes kid (key id).

Registered claims

Standardized keys like iss, sub, aud, exp, nbf, and iat.

JWS vs JWE

Most JWTs you see are JWS (signed). JWE is encrypted and behaves very differently.

Bearer token model

If you have the token, you can act as the subject. Protect it like a password.

Frequently Asked Questions (FAQs)

Is it safe to paste a JWT here?

The parser runs locally in your browser. Still, JWTs can contain personal data. Avoid using real production tokens on shared machines.

Why does my JWT show “Invalid JWT format”?

A JWT must have at least two dot-separated segments. If the header or payload is not valid Base64Url or not valid JSON, parsing fails.

Why can’t I see the signature as JSON?

The signature is a cryptographic output, not a JSON object. It’s meant for verification, not display.

Does decoding prove the token is authentic?

No. Authenticity requires signature verification using the correct key material.

What should I check first when debugging?

Start with $exp$ , $nbf$ , and $iat$ , then confirm $aud$ and $iss$ match your service.

Why are some claim values shown as pretty JSON?

Some claims are arrays or nested objects (for example, a list of roles). The tool formats them to make them easier to read.

Limitations / Disclaimers

This tool decodes JWTs but does not verify signatures.
A readable payload does not guarantee the token is valid or trusted.
JWTs may contain sensitive data; handle them carefully.
Non-standard tokens or encrypted tokens (JWE) may not display meaningful results.

External References / Sources

Related Calculators

Chronometer

Use a simple chronometer (stopwatch) to track elapsed time down to milliseconds. Runs locally in your browser.

Try Now

Email normalizer

Normalize email addresses to a standard format for easier comparison. Useful for deduplication and data cleaning. Runs locally in your browser.

Try Now

ETA calculator

Estimate the time needed to consume a total amount at a constant rate, and get an expected end time. Runs locally in your browser.

Try Now

MIME types

Know which file extensions are associated to a MIME type, and which MIME type is associated to a file extension. Includes a full MIME types table.

Try Now

Lorem ipsum generator

Generate random Lorem Ipsum placeholder text with customizable paragraphs, sentences, and word counts. Runs locally in your browser.

Try Now

HTTP status codes

Browse and search HTTP status codes (1xx–5xx). Includes WebDAV codes. Runs locally in your browser.

Try Now