JWT Decoder Online Free — Decode JSON Web Tokens
Decode and inspect any JWT token instantly. View the header (algorithm, type), payload (all claims with human-readable dates), and raw signature. The token info bar shows active/expired status and exact expiry countdown. Everything runs in your browser — your token is never sent anywhere.
100% client-side. JWT tokens are decoded locally in your browser using JavaScript. No token data is ever transmitted to any server.
How to Decode a JWT Online
- 01
Paste your JWT
Paste any JWT token into the input area. Click "Paste sample" to try a pre-loaded example immediately.
- 02
Inspect header and payload
See the decoded header (algorithm, token type), payload (all claims with human-readable dates), and raw signature.
- 03
Check expiry and status
The token info bar shows whether the token is active or expired, the algorithm badge, and the exact expiry time.
Frequently Asked Questions
What is a JWT token?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature. JWTs are commonly used in OAuth 2.0 and OpenID Connect flows.
Is it safe to paste my JWT into this tool?
Privatool decodes JWTs entirely in your browser — the token is never sent to any server. However, as a general security principle, you should never paste production tokens that grant access to real systems, payment data, or personal information into any online tool. Use sample tokens or tokens from development/staging environments for testing.
Can this tool verify JWT signatures?
No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). This tool can only decode the header and payload — it cannot confirm whether the signature is valid. Verification must be done server-side using a trusted JWT library.
What does the exp claim mean?
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. After this time, the token should be rejected by the server. The decoder shows this as a human-readable date and time, and indicates whether the token is currently active or has already expired.
What is the difference between HS256 and RS256?
HS256 (HMAC with SHA-256) is a symmetric algorithm — the same secret key is used to both sign and verify tokens. RS256 (RSA with SHA-256) is asymmetric — a private key signs the token and a public key verifies it. RS256 is preferred when different parties need to verify tokens without sharing a secret.