Image & Color
Background Remover
Color Palette
Image Converter
Color Picker
Metadata Viewer
Image Watermark
Image Steganography
Color Contrast Checker
Image Resizer
Color Blind Simulator
Placeholder Generator
CSS Gradient Generator
Box Shadow Generator
SVG Sprite Generator
CSS Grid Generator
Animation Generator
Favicon Generator
Aspect Ratio Calculator
Flexbox Playground
Clip-Path Maker
Transform Playground
Filter Playground
Typography Playground
CSS Visual Toolkit
Scroll Animations
Easing Visualizer
Audiogram Generator
Text & Data
Text Diff
Word Counter
Data Formatter
Base64 Encoder
Markdown Preview
CSV ↔ JSON
JSON Path Explorer
JSON Schema Validator
Unicode Inspector
Cipher Toolbox
Lorem Ipsum
Readability Analyzer
Word Frequency
Markov Generator
ASCII Art
Hash Generator
Password Generator
Mojibake Fixer
Config Converter
URL Encoder
Base Converter
Case Converter
Text Cleaner
Dev & Network
QR Designer
QR Reader
Regex Tester
Cron Builder
JWT Decoder
Timestamp Converter
SQL Formatter
API Tester
Network Calculator
DNS Lookup
PDF Toolkit
File Inspector
Math Plotter
Meta Tag Generator
Code Diff Visualizer
Cron Expression Tester
Markdown Slides
Unit Converter
Data Visualizer
chmod Calculator
Linguistics
IPA Chart
Phonemes
Syntax Trees
Language Families
Minimal Pairs
Morphology
Syllable Counter
Rhyme Finder
Homophone Finder
Vowel Chart
IPA Transcriber
Concordance
Cognate Explorer
False Friends
Phono Rules
Word Order View all linguistics tools →
Suggest a Tool Support Fixie

How to Decode and Inspect JWT Tokens Online

JSON Web Tokens (JWTs) are a widely used standard for securely transmitting information between parties as compact, self-contained JSON objects. When debugging authentication issues or understanding what claims are in a token, you need to decode the JWT to view its contents. This guide shows you how to decode and inspect JWT tokens using fixie.tools — a free browser-based decoder with no signup required and complete client-side processing for security.

Step 1: Open the JWT Decoder Tool

Navigate to fixie.tools/jwt in your web browser. The tool runs entirely in your browser with no server communication, ensuring your tokens remain private. No account creation or registration is needed. Works on all devices and supports all modern browsers.

Step 2: Paste Your JWT Token

Copy your JWT token from wherever it's stored — browser cookies, API responses, authentication headers, or local storage. Paste the complete token (all three Base64-encoded parts separated by dots) into the token input field. The tool automatically detects and parses the JWT structure. If the token is invalid or malformed, you'll see an error message explaining the issue.

Step 3: View Decoded Header and Payload

Once pasted, the tool instantly decodes the JWT and displays the header and payload sections in human-readable JSON format. The header shows the token type (typ) and signing algorithm (alg) like HS256, RS256, or ES256. The payload contains claims — standard claims like issuer (iss), subject (sub), expiration (exp), issued-at (iat), and any custom claims your application added. All Base64 decoding happens locally in your browser for complete privacy.

Step 4: Check Token Expiration and Timing

Review the timing claims to understand token validity. The exp (expiration) claim shows when the token expires as a Unix timestamp. The iat (issued at) claim shows when the token was created. The nbf (not before) claim, if present, indicates when the token becomes valid. The tool displays these timestamps in both Unix format and human-readable date/time, making it easy to verify if a token is expired or not yet valid. Expired tokens will be clearly marked with a warning.

Step 5: Copy Decoded Claims or Validate Signature

Use the copy button to copy individual claims or the entire decoded payload for debugging or documentation. If you have the signing secret or public key, you can optionally paste it into the signature verification field to validate the token's authenticity. Signature verification proves the token hasn't been tampered with and was issued by the expected authority. For debugging purposes, you can inspect tokens without verification — the tool will still decode the content even for unsigned or invalidly-signed tokens.

Try It Now — Free, No Signup →

Frequently Asked Questions

Is it safe to paste JWTs into an online decoder?
With Fixie, yes. All JWT decoding happens entirely in your browser using client-side JavaScript — the token never leaves your machine or gets sent to any server. Unlike some JWT decoders that process tokens server-side, Fixie keeps your tokens completely private. However, be cautious with production tokens containing sensitive claims or using them on untrusted networks.
Do I need to create an account to decode JWTs?
No. Fixie's JWT Decoder requires no signup, no registration, and no account creation. Just visit the page and paste your token. Unlike platforms like JWT.io that may track usage or require accounts for advanced features, Fixie is completely free and anonymous.
Can Fixie verify JWT signatures?
Yes. If you have the signing secret (for HMAC algorithms like HS256) or the public key (for asymmetric algorithms like RS256 or ES256), you can paste it into the verification field and Fixie will validate the signature. This ensures the token hasn't been tampered with and was issued by the expected authority. Signature verification is optional — you can decode tokens without verification.
Why is my JWT marked as expired?
A JWT is expired when the current time is past the timestamp in the 'exp' (expiration) claim. The tool compares the exp value against the current time and displays a warning if expired. Expired JWTs should not be accepted by APIs or applications for security reasons. You may need to refresh your token or re-authenticate to get a new, valid token.
What's the difference between decoding and verifying a JWT?
Decoding extracts and displays the header and payload contents from the Base64-encoded JWT — this tells you what claims are in the token but doesn't prove authenticity. Verification uses a secret or public key to check the signature and confirm the token hasn't been modified and was issued by a trusted source. You can decode any JWT, but verification requires the appropriate key.

Related Tools

Base64 Decoder

Decode Base64-encoded strings
Unix Timestamp Converter

Convert Unix timestamps to readable dates
JSON Formatter

Format and validate JSON data