Tools.FunBlog › Free Online JWT Decoder: Decode and Inspect JWTs in Your Browser

Free Online JWT Decoder: Decode and Inspect JWTs in Your Browser

BY TOOLS.FUN  ·  MARCH 28, 2026  ·  5 min read

JSON Web Tokens (JWTs) are the backbone of modern API authentication. Every time you log into a web app, there's a good chance a JWT is being issued and verified in the background. But when you need to inspect a JWT — check its claims, verify expiry, or debug an authentication issue — what do you do if you don't want to install a tool or paste your token into an unknown third-party service? Here's how to decode and analyze JWTs using free, trustworthy browser tools.

Part of the Tools for Security Professionals series. See the hub article for the complete guide.

JWT Structure: Header.Payload.Signature

A JWT consists of three base64url-encoded parts separated by dots: header.payload.signature. The header identifies the token type and signing algorithm. The payload contains the claims (user ID, roles, expiry, etc.). The signature verifies the token was issued by a trusted party. To inspect a JWT, you just need to decode the first two parts — the signature requires the secret key to verify.

Base64 Decoder — The Core JWT Decoding Tool

JWT segments are base64url-encoded (standard base64 with + replaced by - and / replaced by _, with padding stripped). To decode a JWT manually, split the token on the dots, take the first segment (header) or second segment (payload), and paste it into the base64 decoder. You'll get the raw JSON for each segment without sending your token to any external service.

How to decode a JWT header: Copy everything before the first dot in your JWT, paste it into the base64 decoder, and read the algorithm (alg) and token type (typ) claims.
How to decode a JWT payload: Copy the section between the first and second dots, paste it into the base64 decoder. If it doesn't decode cleanly, add = or == padding at the end — base64url strips padding that standard base64 requires.

JSON Formatter — For Reading JWT Payload Claims

Once you've base64-decoded your JWT payload, you'll have a compact JSON object. Paste it into the JSON formatter to get a readable, indented view of all the claims. This makes it easy to find the sub (subject/user ID), exp (expiry), iat (issued-at), aud (audience), and any custom claims your application adds.

Best for: Reading all claims in a JWT payload at a glance, verifying that the correct user ID and roles are present in a token, and checking that custom application claims are correctly populated.
Common JWT claims to look for: sub (user identifier), exp (expiry Unix timestamp), iat (issued-at Unix timestamp), nbf (not-before timestamp), iss (issuer), aud (audience), jti (unique token ID).

Timestamp Converter — Checking Token Expiry

The exp and iat claims in a JWT payload are Unix epoch timestamps — numbers like 1711670400. To understand when a token expires or when it was issued, paste these values into the timestamp converter. Immediately see whether a token has already expired, how much time remains, or whether the issued-at time matches expected authentication event timing.

Best for: Checking whether a JWT has expired, verifying that token issuance time matches a login event, and debugging "token expired" errors by seeing exactly when the token stopped being valid.
Common issue: JavaScript's Date.now() returns milliseconds, but JWT timestamps are in seconds. If your exp check is failing, you may be comparing milliseconds to seconds — multiply the JWT timestamp by 1000 before comparing to Date.now().

MD5 / Hash Tool — Understanding Signature Verification

The JWT signature is created by hashing the header.payload string with the secret key using the algorithm specified in the header (HS256, RS256, etc.). For HS256 tokens (HMAC-SHA256), understanding how HMAC works helps you verify that your signature validation logic is correct. While the hash tool here uses MD5, the concepts of keyed hashing that underpin JWT signatures are the same.

Best for: Understanding how JWT signature construction works conceptually, testing hash-based signing logic before implementing it in production code, and verifying that two JWT implementations produce the same signatures for the same inputs.

URL Decoder — For URL-Safe Base64 Handling

JWT uses base64url encoding, which differs from standard base64 in two character substitutions and padding removal. Some implementations pass JWTs in URL query parameters, where the dot separators and base64 characters need additional encoding. The URL decoder helps you untangle JWTs that have been URL-encoded before they've been passed through a redirect or stored in a cookie string.

Best for: Decoding JWTs that have been URL-encoded as query parameters, untangling tokens passed through OAuth redirect flows, and debugging authentication callbacks where the token arrives percent-encoded.

Regex Tool — Extracting JWT Claims Patterns

When processing multiple JWTs in log files or audit trails, regex helps extract specific claim values from decoded payloads. Build patterns to extract sub values, filter tokens by iss, or identify tokens with specific role claims. Test your extraction patterns here before building them into log analysis pipelines or security audit scripts.

Best for: Extracting JWT claim values from log files during security audits, building patterns to identify tokens with specific permissions, and analyzing JWT claim distributions across a dataset of decoded tokens.

Password Generator — Generating JWT Signing Secrets

For HS256 JWT implementations, the security of every token depends entirely on the strength of the signing secret. A weak or predictable secret makes all your tokens forgeable. Generate a cryptographically strong random secret of at least 32 characters (256 bits) here — this is the minimum recommended for HS256 signing. Store it in your secrets manager, never in source code.

Best for: Generating strong JWT signing secrets for HS256 implementations, rotating compromised signing secrets, and creating unique per-service signing keys for microservice architectures.
Security rule: Never use the same JWT signing secret for development, staging, and production environments. Generate a unique strong secret for each environment and rotate production secrets regularly.

A Complete JWT Debugging Workflow Without Any Tool Installed

Here's a complete JWT debugging workflow using only free browser tools: (1) Split the JWT on dots into three parts. (2) Base64-decode the first part to read the header and check the algorithm. (3) Base64-decode the second part to get the payload JSON. (4) Format the payload JSON to read all claims clearly. (5) Convert the exp timestamp to check if the token has expired. (6) If needed, check the issuer and audience claims against your expected values. This covers 95% of JWT debugging scenarios without installing anything or sending your token to an unknown third-party service.

JWT debugging is a daily reality for anyone building authenticated APIs. Bookmark tools.fun and work through token issues directly in the browser with tools you can trust.

Related Guides

Tools for Cloud Architects Tools for API Developers How to Detect and Improve AI-Generated Text BI Analyst Toolkit AppSec Engineer Toolkit CI/CD Engineer Toolkit Free Alternatives to Postman: Test APIs Without Paying Tools for Developers Tools for Sysadmins Tools for Security Professionals Tools for Data Engineers Tools for DevOps Engineers The Best Free Browser Tools for AI and ML Engineers Best Free JSON Formatter Online: Format, Validate & Compare JSON AWS Engineer Toolkit Analytics Engineer Toolkit
← Back