JWT Decoder & Formatter — Inspect Tokens Free Online — Free

How to use the JWT Formatter

Decode any JWT in seconds — paste, inspect, and understand your token with no setup required.

Paste your JWT

Copy your JSON Web Token — typically from an Authorization header, a cookie, or your application's local storage — and paste it into the input field. The tool accepts standard three-part (header.payload.signature) JWTs as well as JWTs prefixed with 'Bearer '.

Inspect the decoded sections

The formatter immediately splits the token at its dot delimiters, Base64url-decodes each part, and pretty-prints the Header and Payload as formatted JSON in separate panels. The Signature section is displayed as-is along with a note that signature verification requires the secret key, which is never requested.

Review claims and timestamps

Any Unix timestamp fields (iat, exp, nbf) are automatically converted and displayed alongside their human-readable local equivalents. Standard registered claim names are annotated with plain-English descriptions so you can confirm the token's issuer, subject, audience, and expiry at a glance.

When to use this tool

Reach for JWT Formatter whenever you need to quickly understand what's inside a token — during development, debugging, or security review.

→Checking whether an access token has expired by inspecting the exp claim converted to a readable local timestamp.
→Debugging an authentication issue by verifying the sub and iss claims match what your identity provider should be issuing.
→Reviewing the roles or scopes encoded in a JWT's payload to confirm authorization logic is behaving correctly.
→Onboarding new team members by showing them exactly what fields your auth tokens carry and what each claim means.
→Validating the algorithm declared in the header (alg) to ensure tokens are signed with the expected method (e.g., RS256 vs HS256).
→Quickly inspecting a token from a third-party OAuth provider to understand its structure before writing parsing logic.

Frequently asked questions

Q:Is it safe to paste a real JWT into this tool?

Yes — JWT Formatter decodes tokens entirely in your browser using client-side JavaScript. Your token is never sent to a server, logged, or stored anywhere. That said, as a general security best practice, avoid pasting long-lived or high-privilege production tokens into any online tool unless you fully trust its implementation; prefer using tokens from development or staging environments.

Q:Can this tool verify a JWT's signature?

No, and this is intentional. Signature verification requires the secret key or public key used to sign the token, which you should never share with a third-party tool. JWT Formatter is designed for inspection and debugging of the Header and Payload only. For signature verification, use your application's auth library or a trusted server-side tool where you control the key material.

Q:What JWT algorithms and token types are supported?

The decoder supports any standard JWT regardless of the signing algorithm declared in the header (HS256, RS256, ES256, PS256, etc.) because decoding the header and payload only requires Base64url-decoding — the algorithm is only relevant for signature verification. Encrypted JWTs (JWE) use a different structure and are not currently supported.

Q:How does the tool handle the exp (expiration) claim?

The exp value is a Unix timestamp (seconds since January 1, 1970 UTC). JWT Formatter converts it to a human-readable date and time in your browser's local timezone and clearly indicates whether the token is currently valid, expired, or not yet active based on your device clock. This makes it easy to diagnose token expiry issues without manual timestamp conversion.

Q:What are the standard JWT claims this tool explains?

The formatter annotates the seven registered claims defined in RFC 7519: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Each annotation provides a brief plain-English description of the claim's purpose directly below the decoded value in the Payload panel.

Q:Can I decode a JWT that was issued by Auth0, Cognito, Firebase, or another identity provider?

Yes. JWT Formatter works with tokens from any standards-compliant identity provider including Auth0, AWS Cognito, Firebase Authentication, Okta, Keycloak, Microsoft Entra ID (Azure AD), and custom implementations. The structure of a JWT is standardised by RFC 7519, so the tool decodes the Header and Payload regardless of which provider issued it.