JWT Decoder
Decode and inspect JWT tokens
About this tool
The ToolNinja JWT Decoder is a free online JSON Web Token decoder. Paste any JWT and instantly see the decoded header, payload, and signature in color-coded sections โ purple for header, blue for payload, red for signature. Use it to decode JWT tokens when debugging authentication issues, inspect JWT claims like sub, iat, exp, and aud, check JWT expiry time in human readable format, or verify the token structure before implementing JWT validation in your code. The expiry countdown tells you immediately if a token is still valid or has already expired. Unlike some online JWT tools, ToolNinja's JWT decoder runs 100% in your browser using JavaScript โ your token, including any sensitive claims like user IDs, roles, and permissions, never leaves your machine. It's a privacy-first alternative to jwt.io for developers who work with sensitive authentication tokens. No login, no account, no server calls. Just paste and decode.
When to use it
- โDebugging authentication failures by inspecting what claims the token contains
- โChecking whether a token is expired without waiting for an API call to fail
- โUnderstanding what data your identity provider (Auth0, Cognito, Clerk) puts in the payload
- โVerifying the algorithm field in the header during a security review
Tips
- โJWTs are Base64URL-encoded, not encrypted. Anyone who has the token can read the payload.
- โThe exp claim is a Unix timestamp โ compare it to the current time to check expiry.
- โNever store sensitive user data (passwords, SSNs, credit cards) in JWT claims.
- โThe signature validates that the token was issued by the expected server โ but you need the secret key to verify it.
Frequently asked questions
Does this tool verify the JWT signature?
No. Signature verification requires the secret key or public key, which should never be shared with a browser-based tool. This decoder only reads the header and payload. Use your backend or a library like jsonwebtoken to verify signature integrity.
What does 'Token Expired' mean?
The exp (expiration) claim in the payload is a Unix timestamp. If the current time is past that timestamp, the token is expired and most APIs will reject it with a 401 Unauthorized response. You need to re-authenticate to get a fresh token.
Is it safe to paste my production JWT here?
The decoder runs entirely in your browser โ nothing is sent to a server. That said, production JWTs contain real user data and grant access to real systems. Treat them like passwords: don't paste them into unfamiliar tools, and rotate them if you suspect exposure.
What's the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a shared secret โ both the issuer and verifier need the same key. RS256 (RSA-SHA256) uses a key pair โ the issuer signs with a private key and anyone can verify with the public key. RS256 is preferred for multi-service architectures because services can verify tokens without holding the signing secret.