JWT Decoder
Paste a JSON Web Token to decode and inspect its header, payload, and claims. All decoding happens in your browser — your token never leaves your machine.
How the JWT Decoder Works
A JSON Web Token (JWT) consists of three parts separated by dots: the header, the payload, and the signature. Each part is Base64URL-encoded. This tool splits the token on the dots, decodes the header and payload from Base64URL, and displays them as formatted JSON so you can inspect the claims and metadata.
JWT Structure
A JWT has the format: header.payload.signature
Header: Contains the token type (typ) and signing algorithm (alg), e.g., {"alg":"HS256","typ":"JWT"}
Payload: Contains the claims — statements about the user and additional metadata such as iss (issuer), exp (expiration), sub (subject), and custom claims.
Signature: A cryptographic hash created using the header, payload, and a secret key. This tool does not verify the signature as it does not have access to your secret key.
Why Decode JWTs?
JWTs are the standard authentication mechanism for modern web applications, mobile apps, and APIs. When debugging authentication issues, you need to inspect the token contents to verify that the correct claims are present, the expiration time is set properly, and the issuer and audience values match your configuration.
During development, you frequently receive JWTs from OAuth providers, identity platforms like Auth0 or Firebase, or your own backend. Being able to quickly decode and inspect these tokens saves significant debugging time. This tool gives you instant visibility into the token structure without writing any code.
Common JWT Claims
The JWT specification defines several registered claims: iss (issuer) identifies who created the token, sub (subject) identifies the user, aud (audience) identifies the intended recipient, exp (expiration) is a Unix timestamp after which the token is invalid, nbf (not before) is a Unix timestamp before which the token is not valid, iat (issued at) is when the token was created, and jti (JWT ID) is a unique identifier for the token.
Signature Verification
This tool decodes the header and payload but does not verify the signature. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA or ECDSA algorithms), which should never be shared with a client-side tool. Always verify signatures on your server to ensure tokens have not been tampered with.
Security Considerations
Be cautious about where you paste JWTs. This tool runs entirely in your browser with no server communication, making it safe. However, avoid pasting production tokens into online tools that transmit data to servers. Expired tokens are generally safe to inspect, but valid tokens could be used by an attacker if intercepted.
Expiration Time Display
If the payload contains an exp claim, the decoder displays the expiration as both a Unix timestamp and a human-readable date, and indicates whether the token is currently expired or still valid. This is invaluable when debugging "token expired" errors in your application.