Free Online JWT Decoder and Inspector
Decode and inspect JSON Web Tokens (JWT) with HubKit's JWT decoder. View the header, payload, and signature of any JWT without needing a secret key. Ideal for debugging authentication flows, inspecting OAuth tokens, and verifying token claims in API development.
How to Use
Paste your JWT string into the input field. The decoder instantly splits the token into its three parts — header, payload, and signature — and displays the decoded JSON with syntax highlighting. Expiration dates and timestamps are automatically converted to readable formats.
Features
- Decode JWT header, payload, and signature
- Display token expiration and issued-at timestamps
- Identify the signing algorithm (HS256, RS256, etc.)
- No secret key required for decoding
Frequently Asked Questions
Can I decode a JWT without the secret key?
Yes. JWTs are Base64-encoded, not encrypted. You can decode and read the header and payload without the secret key. The secret is only needed to verify the signature.
Is it safe to paste my JWT here?
Yes. The decoder runs entirely in your browser. Your token is never sent to any server. However, never share JWTs publicly as they may contain sensitive claims.
What are common JWT claims?
Common claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Custom claims can hold user roles, permissions, and other application data.