Developer Tools

How to Decode a JWT Token Online

Got a JWT token from an API response or authentication flow and want to see what's inside? You can decode and inspect it without the secret key.

Open JWT Decoder 100% free. No sign-up. Works in your browser.

Quick Answer

Paste any JWT token into the decoder at dotsapps.com to instantly see the header, payload, and all claims. No secret key needed for decoding — JWTs are encoded, not encrypted.

What's Inside a JWT Token

A JWT (JSON Web Token) has three parts separated by dots: header.payload.signature. Each part is Base64URL-encoded JSON.

Header — Contains the token type (JWT) and the signing algorithm (like HS256 or RS256).

Payload — Contains the claims (data). This is the useful part. Common claims include:

  • sub — Subject (usually the user ID)
  • name — User's name
  • email — User's email
  • iat — Issued at (Unix timestamp)
  • exp — Expiration time (Unix timestamp)
  • iss — Issuer (who created the token)
  • aud — Audience (who the token is for)

Signature — Verifies the token hasn't been tampered with. You need the secret key to validate this, but not to read the header and payload.

Why You Can Decode a JWT Without the Secret Key

This surprises many developers: JWTs are signed, not encrypted. The header and payload are just Base64URL-encoded. Anyone can decode them.

The signature prevents tampering — if you change the payload, the signature becomes invalid. But it doesn't prevent reading.

This means never put sensitive data in a JWT payload. Don't store passwords, credit card numbers, or secret keys in tokens. Anyone who intercepts the token can read everything in it.

If you need encrypted tokens, look into JWE (JSON Web Encryption). But for most authentication flows, signed JWTs with non-sensitive claims are the standard approach.

How to Check if a JWT Token Has Expired

The exp claim contains the expiration time as a Unix timestamp (seconds since January 1, 1970).

When you paste a JWT into the decoder at dotsapps.com, the tool converts timestamps to human-readable dates automatically. You can instantly see when the token was issued and when it expires.

If the current time is past the exp value, the token is expired. Most authentication libraries automatically reject expired tokens, which is why you get "token expired" errors.

To fix an expired token, you typically need to re-authenticate or use a refresh token to get a new access token. You cannot extend a token's expiration — that would require changing the payload, which invalidates the signature.

Debugging JWT Authentication Issues

When JWT auth isn't working, decoding the token is the first debugging step. Here's what to check:

  1. Is the token expired? Check the exp claim.
  2. Is the audience correct? The aud claim must match what the server expects.
  3. Is the issuer correct? The iss claim must match the expected identity provider.
  4. Are the required claims present? Some APIs need specific claims like roles or permissions.
  5. Is the algorithm correct? The header's alg field must match the server's configuration. An "alg: none" attack is a common vulnerability if the server doesn't validate this.

Seeing the decoded token makes these issues obvious. Without decoding, you're guessing why authentication fails.

How to Do It: Step-by-Step

  1. 1

    Open the JWT Decoder at dotsapps.com

  2. 2

    Paste the complete JWT token (all three dot-separated parts)

  3. 3

    View the decoded header to check the algorithm

  4. 4

    View the decoded payload to see all claims and timestamps

  5. 5

    Check the expiration time and other claims for debugging

Try JWT Decoder Now →

Frequently Asked Questions

Is it safe to paste my JWT token into an online decoder?

At dotsapps.com, yes — the decoding happens entirely in your browser. The token is never sent to any server. However, avoid pasting production tokens into tools that send data to a backend.

Can I edit a JWT token and use it?

You can change the payload, but the signature will no longer be valid. The server will reject the modified token unless you also re-sign it with the correct secret key.

What does jwt expired mean?

It means the current time has passed the token's exp (expiration) claim. You need to get a new token by logging in again or using a refresh token. Expired tokens cannot be renewed.

What is the difference between HS256 and RS256?

HS256 uses a shared secret key for both signing and verification. RS256 uses a private key for signing and a public key for verification. RS256 is more secure for distributed systems because only the auth server needs the private key.

Why is my JWT token so long?

JWT length depends on the number of claims in the payload. Every custom claim you add increases the token size. Keep payloads minimal — store only essential data and look up additional details from a database when needed.

Ready to Try It?

JWT Decoder is free, private, and works right in your browser. No sign-up needed.

Open JWT Decoder

Related Tools You Might Like

shield Base64 Encoder / Decoder code JSON Formatter fingerprint Hash Generator

100+ Free Tools. Zero Sign-ups.

Every tool runs 100% in your browser. Your data never leaves your device.

Explore All Tools

Cloud Sync

Connected to Google Drive