JWT Decoder

Decode and inspect JWT tokens. View header, payload, and signature of JSON Web Tokens for debugging.

⚠️ Privacy Notice: All decoding happens locally in your browser. JWT tokens are never sent to any server.

About JWT

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

A JWT consists of three parts separated by dots (.):

  • Header: Contains the token type and signing algorithm
  • Payload: Contains the claims (user data and metadata)
  • Signature: Used to verify the token hasn't been altered

Common Claims:

  • iss (issuer) - Who issued the token
  • sub (subject) - Who the token is about
  • aud (audience) - Who the token is intended for
  • exp (expiration) - When the token expires
  • iat (issued at) - When the token was issued
  • nbf (not before) - When the token becomes valid

What It Does

A JWT Decoder is a specialized tool for parsing, inspecting, and debugging JSON Web Tokens (JWTs). JWTs are a compact, URL-safe means of representing claims to be transferred between two parties, commonly used for authentication and information exchange in modern web applications. This decoder breaks down the token into its three components—header, payload, and signature—and displays the decoded JSON data in a human-readable format, making it easy to understand what information the token contains.

Key Features:

  • Instant JWT decoding without server communication (client-side only)
  • Display of all three JWT parts: header, payload, and signature
  • Pretty-printed JSON output with syntax highlighting
  • Support for standard JWT algorithms (HS256, RS256, ES256, etc.)
  • Claim interpretation including exp, iat, nbf timestamps in human-readable format
  • Token structure validation and format verification
  • Security information about token properties and potential issues
  • No data storage - all processing happens in your browser

How To Use

Decoding a JWT token is quick and secure with our client-side decoder. Your tokens are never sent to a server, ensuring complete privacy.

1

Paste Your JWT Token

Copy your JWT token from your application, API response, or browser storage, and paste it into the input field. A valid JWT consists of three parts separated by dots: header.payload.signature.

2

Automatic Decoding

The tool automatically decodes your token as you paste it. No need to click any buttons—the decoding happens instantly in your browser.

3

Review Header Information

Examine the decoded header, which typically contains the token type (JWT) and the signing algorithm used (e.g., HS256, RS256). This tells you how the token is secured.

4

Inspect Payload Claims

View all claims (data) stored in the token payload. Common claims include sub (subject), iat (issued at), exp (expiration), and custom application-specific data.

5

Check Signature

See the signature section, which is used to verify the token hasn't been tampered with. Note that this tool decodes but does not verify signatures, as that requires the secret key.

Pro Tips

  • JWT decoding is not the same as verification - anyone can decode a JWT
  • Never share tokens that contain sensitive information
  • Check the exp (expiration) claim to see if your token is still valid
  • Look for the iat (issued at) claim to understand when the token was created
  • Be cautious with tokens from untrusted sources - they could contain malicious data
  • Use this tool for debugging authentication issues in development

Benefits

Debug authentication issues quickly without server logs
Understand what data is being transmitted in your tokens
Verify token expiration times before making API calls
Learn JWT structure and standard claims through hands-on exploration
Troubleshoot integration issues with third-party authentication providers
Inspect tokens in development without installing browser extensions
Privacy-focused: all processing happens locally in your browser

Use Cases

Debugging Authentication

When users report login issues, decode their JWT to check if it contains the expected claims and hasn't expired.

Check if user roles and permissions are correctly encoded in the token

API Integration Testing

Verify that third-party APIs are issuing tokens with the correct structure and claims before integrating them into your application.

Confirm OAuth2 tokens from providers like Auth0, Okta, or Firebase

Token Expiration Troubleshooting

Diagnose "unauthorized" errors by checking if tokens have expired based on the exp claim.

Compare exp timestamp with current time to verify token validity

Learning and Education

Understand how JWTs work by decoding example tokens and seeing the relationship between encoded and decoded data.

Teach developers about JWT structure and claims in workshops

Security Audits

Inspect tokens for sensitive information that shouldn't be stored in JWTs, as they're not encrypted by default.

Check if passwords or credit card numbers are accidentally in the payload

Multi-tenant Applications

Verify that tenant IDs and user permissions are correctly encoded for proper application routing and authorization.

Confirm tenant_id claim matches expected organization

Frequently Asked Questions

1 Is it safe to decode my JWT token online?
Our JWT decoder runs entirely in your browser using client-side JavaScript—your token is never sent to any server. However, you should still be cautious about pasting production tokens that contain sensitive user data into any online tool. For highly sensitive tokens, consider using an offline decoder or building your own. Remember that JWTs are only encoded (Base64), not encrypted, so anyone with the token can read its contents. The security comes from the signature verification, not the encoding.
2 What's the difference between decoding and verifying a JWT?
Decoding a JWT simply converts the Base64-encoded header and payload into readable JSON—anyone can do this without any secret keys. Verification, on the other hand, checks the signature to ensure the token was issued by a trusted source and hasn't been tampered with. This requires the secret key (for HS256) or public key (for RS256). This tool only decodes tokens; verification must be done server-side with proper keys. Never trust decoded data without signature verification in production.
3 Why does my token show it's expired?
JWTs contain an exp (expiration) claim that specifies when the token becomes invalid. This is a security feature to limit how long a token can be used. If your decoded token shows an expired timestamp, you need to request a new token from your authentication provider, typically by refreshing using a refresh token or re-authenticating. Short-lived access tokens (5-15 minutes) paired with longer-lived refresh tokens are a security best practice.
4 What are the standard JWT claims I should know?
Standard JWT claims (called registered claims) include: iss (issuer) - who created the token; sub (subject) - who the token is about; aud (audience) - who the token is intended for; exp (expiration time) - when it expires; nbf (not before) - when it becomes valid; iat (issued at) - when it was created; and jti (JWT ID) - unique identifier. You can also add custom claims specific to your application, like user roles, permissions, or tenant IDs. Keep payload size small as JWTs are sent with every request.
5 Can I edit a JWT token and use it?
While you can technically decode, edit, and re-encode a JWT, the modified token will fail signature verification. The signature is calculated using the header and payload plus a secret key. Without the correct secret key, you cannot generate a valid signature for your modified token. Any server that properly verifies JWTs will reject modified tokens. This is the core security mechanism of JWTs—they provide tamper-proof authentication. Only the token issuer with the private key can create valid tokens.

JWT Token Security Best Practices

  • Always verify JWT signatures on the server before trusting token data
  • Use short expiration times (5-15 minutes) for access tokens
  • Store JWTs in httpOnly cookies or memory, never in localStorage
  • Implement refresh token rotation for enhanced security
  • Don't put sensitive data in JWT payloads - they're readable by anyone
  • Use strong signing algorithms like RS256 for production systems

Related Tools

What Is My IP

Find your public IP address and location information. See your ISP, timezone, coordinates, and network details instantly.

Find by IP

Look up location and network information for any IP address. Enter an IPv4 or IPv6 address to see geolocation, ISP, timezone, and network details.

Regex Tester

Test and debug regular expressions with real-time matching. Validate regex patterns with highlighting and explanations.

Base64 / URL / HTML Entities

Encode and decode Base64, URL encoding, and HTML entities. All-in-one encoding tool for web development.

UUID Generator

Generate unique UUIDs (Universally Unique Identifiers) for databases, APIs, and applications. Support for v1 and v4.

Hash Calculator

Calculate MD5, SHA-1, SHA-256, SHA-512 hashes. Generate cryptographic hashes for security and data integrity.