Is this JWT decoder free?

Yes. Completely free with no signup.

Is my token uploaded?

No. Decoding happens entirely in your browser.

Does decoding verify the signature?

No. Decoding only reveals content. Signature verification requires the secret key on the server.

Can I decode production tokens?

Avoid pasting production tokens into any online tool. Use test tokens for debugging.

Can I use it commercially?

Yes. Free for personal and commercial development.

What are common JWT claims?

sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience), and custom application claims.

JWT Decoder

Next steps

Format decoded JSON Convert exp / iat timestamps

JWT Token

Algorithm guide

HS256 — HMAC SHA-256 — symmetric secret signing, common for internal APIs.
RS256 — RSA SHA-256 — asymmetric, typical for OAuth / OIDC providers.
ES256 — ECDSA SHA-256 — elliptic-curve signatures, smaller keys.

Common payload claims

sub — Subject — user or principal identifier
iss — Issuer — who created the token
aud — Audience — intended recipient
jti — JWT ID — unique token identifier

JWT Debugger - Decode JWT Tokens Online

Free JWT debugger: decode header & payload, inspect exp/iat claims. Runs locally — no upload.

Paste a JWT — header, payload, and signature are parsed and formatted as JSON automatically.

A JWT consists of three Base64URL-encoded parts separated by dots: Header (algorithm and type), Payload (claims like user ID and expiration), and Signature (verification hash). Decoding lets developers inspect token claims, debug authentication issues, and verify expiration times without writing code.

WaiHub's JWT Decoder parses tokens in your browser and displays formatted Header and Payload JSON with exp/iat status indicators. Important: decoding reveals content but does NOT verify the signature. Never paste production tokens into untrusted websites.

Instant Header and Payload decoding
Formatted JSON output with syntax highlighting
exp/iat expiration status indicators
Debug OAuth and API authentication
No server upload — browser-only processing
Understand token claims and structure

Features

Decode JWT Header and Payload instantly
Formatted JSON with readable indentation
Show exp (expiration) and iat (issued at) status
Highlight expired or soon-to-expire tokens
Built-in example tokens for learning
Copy decoded sections individually
Handle Base64URL encoding correctly
Clear error messages for invalid tokens
Educational tool for JWT structure
Works locally in browser

How To Use

Paste your JWT token
Copy the Bearer token from your API response, browser dev tools, or OAuth callback. Paste the full three-part token.
View decoded sections
Header and Payload are automatically decoded and displayed as formatted JSON. Check the algorithm in Header and claims in Payload.
Check expiration status
Look at exp and iat fields. The tool highlights whether the token is expired, valid, or expiring soon.
Copy decoded content
Copy individual Header or Payload sections for documentation or further analysis with other tools.

Examples

Standard JWT

JWT Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

FAQ

Is this JWT decoder free?: Yes. Completely free with no signup.
Is my token uploaded?: No. Decoding happens entirely in your browser.
Does decoding verify the signature?: No. Decoding only reveals content. Signature verification requires the secret key on the server.
Can I decode production tokens?: Avoid pasting production tokens into any online tool. Use test tokens for debugging.
Can I use it commercially?: Yes. Free for personal and commercial development.
What are common JWT claims?: sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience), and custom application claims.