Logo JSON Parser Online

Decode and Inspect JWT Tokens Online

Paste a JWT into the input pane and click Decode JWT. The tool splits the token on dots, decodes the header and payload from Base64, and displays both as formatted JSON. If the token has an exp claim, it reports whether the token is still valid and how many minutes remain.

All JSON Tools

28 tools

Free, fast, runs in your browser. No login needed.

Made with ❤️ in India · © 2025 parsejsononline.com
INPUT
1
OUTPUT
1
✅ Ready
Characters: 0
Ctrl+Enter to run
What is this tool?

How to use

  1. Paste your JWT into the INPUT pane. A sample token is pre-loaded if you want to try first.
  2. Click Decode JWT.
  3. The output shows Header, Payload, and Expiry status as formatted JSON.
  4. The status bar shows VALID (expires in N min) or EXPIRED if an exp claim is present.

How it works

A JWT consists of three dot-separated parts: header.payload.signature. The header and payload are Base64-encoded JSON objects. The signature is a cryptographic hash of the first two parts, generated with a secret or private key held server-side.

This tool decodes the header and payload using the browser's built-in atob() function, then parses the result as JSON. The signature part is left undecoded and labeled (hidden — server-side only).

What it does not do: verify the signature. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA), neither of which should be pasted into a browser tool. This tool is for inspecting what a token contains — not for deciding whether to trust it. Never use a decoded-but-unverified JWT to make authorization decisions.

Expiry check. If the payload contains an exp claim (a Unix timestamp), the tool compares it to the current time and reports whether the token is valid or expired, with minutes remaining if valid.

Base64URL limitation. JWTs use Base64URL encoding, which substitutes - for + and _ for /. This tool passes the parts directly to atob() without normalizing those characters first. Most common JWTs decode successfully, but tokens whose Base64 encoding happens to contain - or _ will throw a decoding error. For guaranteed compatibility across all JWTs, use a dedicated library like jwt-decode.

FAQ

Does this tool verify the JWT signature?

No. Signature verification requires the secret or private key, which must stay server-side. This tool only decodes the header and payload. Use your backend or a dedicated library (jsonwebtoken, PyJWT) for verification.

Is my token sent anywhere?

No. Decoding uses the browser's built-in atob() function. The token never leaves your machine — there are no network requests involved.

What is the exp claim?

exp is a standard JWT claim containing a Unix timestamp (seconds since epoch) indicating when the token expires. The tool compares it to Date.now() and shows how many minutes remain, or marks it as EXPIRED.

Why does my token fail to decode?

The most common reason is that the token's Base64URL encoding contains a - or _ character, which the browser's atob() does not accept without normalization. This tool does not normalize the Base64URL alphabet. Try a dedicated JWT library for these tokens.

What are the three parts of a JWT?

Header (algorithm and token type), Payload (claims — sub, iss, exp, and any custom fields), and Signature (a cryptographic hash of header + payload, signed with a secret). Only the first two are human-readable JSON.

Can I use this to debug an expired session?

Yes. Paste the token from your Authorization header or cookie, and the Expiry field tells you immediately whether expiry is the cause. The Payload shows iss (issuer) and sub (subject) for further debugging.

Related tools

Base64 to/from JSONEncode or decode JSON as Base64. Escape / Unescape JSONEscape JSON strings for embedding in other formats. JSON FormatterFormat and inspect any JSON payload.