Skip to main content
Datamata Studios
Back to Utilities
ANALYZER

JWT Decoder

Decode JSON Web Tokens and inspect the header, payload claims and expiry — entirely in your browser, no data sent to any server.

Security notice: Never paste production JWTs or tokens containing sensitive data. This tool runs entirely in your browser — nothing is sent to any server.

JWTs in modern data and backend workflows

JSON Web Tokens show up in OAuth2 access tokens, service-to-service calls, mobile session bridges and increasingly in event streams that carry signed claims. They are attractive because the resource server can validate structure and expiry without a synchronous call to a central session store — at the cost of careful key rotation and revocation design. Analysts and engineers often need to read the claims payload during incident response: which tenant ID was embedded, which scopes were granted, whether exp lines up with the outage window. This page’s decoder helps you inspect those fields quickly while repeating the warning that decoding is not verifying and must never replace your framework’s signature checks in production code.

Security reminder

Never paste production access tokens into untrusted websites. This tool runs locally in your browser session; still minimise what you paste, rotate credentials if they may have leaked and prefer redacted samples when collaborating in chat.

subSubject — who the token is about
issIssuer — which service minted the token
expExpiry as Unix seconds
iatIssued-at timestamp
nbfNot valid before this instant
audIntended audience(s)

Header, payload and signature at a glance

A compact JWT is three segments separated by dots. The header names the signing algorithm and token type. The payload carries standard claims such as iss, sub, aud, exp and iat plus vendor-specific JSON. The signature binds header and payload with a secret or private key. Our decoder shows header and payload as JSON for readability. The signature segment is shown as raw text because verifying it requires cryptographic material you should not paste into a generic web form.

Interpreting exp, nbf and clock skew

exp marks the instant after which the token should be rejected; nbf optionally marks the earliest valid time. Real systems must tolerate small clock skew between issuers and validators. When you are debugging “random” 401 responses, compare exp to wall-clock time in UTC, check whether your value is in seconds or milliseconds and confirm the issuer did not shorten token lifetime during an incident. The Unix Timestamp Converter pairs cleanly with this page for that investigation loop.

Encoding relationships: Base64url and URL encoding

JWT segments use Base64url, not standard Base64, so + and / and padding rules differ slightly from what you might expect from older stackoverflow snippets. If you are extracting a segment manually for other tools, use the Base64 Encoder & Decoder where appropriate, or keep the JWT intact and let this decoder split segments for you. When claims contain nested JSON strings that are themselves URL-encoded, return to the URL Encoder & Decoder and Query String ⇄ JSON pages to normalise each layer deliberately rather than guessing.

Operational tips for teams

Store example JWTs in runbooks as revoked or synthetic tokens only. When comparing two environments, diff decoded payloads side by side after formatting JSON in the JSON Formatter. For database-side expiry logic that mirrors JWT rules, prototype predicates in the SQLite Playground before you ship complex SQL to a shared warehouse.

Frequently asked questions

Related Tools

Base64 Encoder & Decoder

JWTs use Base64url — decode any segment directly.

URL Encoder & Decoder

Encode or decode URL query strings and parameters.

Unix Timestamp Converter

Convert JWT exp/iat timestamps to readable dates.

Same hub cluster

JSON and API payloads

Validate and diff JSON, convert to YAML or XML, decode JWTs and turn query strings into structured objects.

When to use this cluster: Use this cluster when you are debugging API payloads, config files or token claims and want structure without leaving the tab.

Open cluster on hub
ValidatorJSON ValidatorValidate JSON syntax instantly. Check for errors, missing quotes, trailing commas and structural issues. Get detailed error messages to fix invalid JSON quickly.FormatterJSON FormatterFormat, beautify and minify JSON instantly. Choose your indentation level for clean, readable output or compress for production.AnalyzerJSON Diff ViewerCompare two JSON objects side-by-side and see added, removed and changed keys highlighted in green, red and yellow. Perfect for API response diffs.ConverterJSON ⇄ XML ConverterBidirectional converter for JSON and XML. Instantly convert between JSON and XML formats preserving structure, arrays and attributes.ConverterYAML ⇄ JSON ConverterBidirectional converter for YAML and JSON. Perfect for configuration files, CI/CD pipelines and Kubernetes manifests.GeneratorJSON Schema GeneratorPaste any JSON and instantly generate a JSON Schema (Draft-07 or 2020-12). Auto-detects types, formats, required fields and nested objects.ConverterQuery String ⇄ JSONParse URL query strings into JSON or build query strings from flat JSON objects. Handles duplicate keys, full URLs and array values — all in your browser.
JWT Decoder — Free Online Tool | Datamata Studios | Datamata Studios