GuidesBlog
ENKO

JWT Decoder - Decode JWT Token Online

Decoding happens locally in your browser. Your token is never sent to our servers.

JWTs often look like opaque strings, but debugging auth issues usually requires quickly inspecting header/payload claims (exp, iat, scopes, user info).

Decode JWT header and payload instantly. No verification, no server upload. Works in your browser.

Show detailed guide & explanations

Why you may need this tool

JWTs are widely used for authentication and authorization, but the raw token string is difficult to reason about. When requests fail, you often need to check expiration (`exp`), issued - at (`iat`), audience, issuer, and role/scope claims to understand whether the issue is a token problem or a server - side rule. Decoding the header and payload into readable JSON helps you debug with evidence instead of assumptions. It is important to remember that decoding is not the same as verifying a signature.

How to use

Paste the JWT, then review header and payload claims such as exp/iat/nbf, roles, and audience.

  1. Paste your JWT token
  2. View decoded header and payload
  3. Copy JSON or inspect standard claims (exp/iat/nbf)

Examples

Confirming whether a token is expired
If exp is in the past, requests can fail even when the server logic is correct. Decoding lets you confirm the expiration and focus on refresh or issuance flow.
Checking roles/scopes when authorization fails
A “forbidden” response often comes from missing role/scope claims. Inspecting the payload helps you verify whether the token includes the expected permissions.

Benefits & differentiators

Fast inspection helps you narrow down the failure mode: expired token, missing claims, wrong environment, or incorrect roles. This reduces time spent chasing unrelated server logic. Decoded claims are also easier to compare across environments (dev/staging/production) when you need to verify that issuance settings are consistent.

Who this is for

Recommended if you: - debug login/session issues involving JWTs - verify claim values like exp, aud, iss, role, or scope - compare tokens across environments - want quick visibility into token structure without manual decoding

FAQ

Does this verify JWT signatures?
No. This tool only decodes the JWT parts (header/payload). Signature verification requires a secret/public key and is not performed here.
Is my token uploaded to a server?
No. Decoding runs entirely in your browser. Your token is not sent to our servers.
Why is my JWT invalid?
A JWT must have 3 dot - separated parts. The header and payload must be valid Base64URL - encoded JSON.
What are exp/iat/nbf?
They are standard JWT claims: exp (expires at), iat (issued at), nbf (not before). Values are usually Unix seconds.
Can I decode a JWE (encrypted JWT)?
No. Encrypted JWTs (JWE) cannot be decoded without decryption keys.

Related Tools

Base64
Encode text to Base64 or decode Base64 back to text instantly. Supports UTF - 8, Unicode, and special characters.
JSON Formatter
Format, beautify, and validate JSON code instantly. Make your JSON readable with proper indentation.
Timestamp Converter
Convert Unix timestamps to human - readable dates and vice versa. Support for seconds and milliseconds.
URL Encode/Decode
Encode or decode URLs and query strings instantly. Handle special characters safely in URLs.

Related Articles

Developer

What is Base64 Encoding? A Practical Guide

Understand Base64 encoding — what it is, why it's used, and how to encode/decode values for APIs, emails, and data URIs.

Developer

JSON API Debugging Checklist: Fast Root Cause Isolation

Use this API debugging checklist to quickly isolate malformed JSON, encoding issues, and schema mismatches before they hit production.

Found a bug or have feedback? Let us know