JWT Decoder
Decode and inspect JWT tokens. View header, payload and expiry at a glance.
Paste a JWT token on the left and click Decode
— or click Sample to load an example —
What Is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit claims between two parties. JWTs are widely used for authentication — a server signs a token after login and the client sends it with every subsequent request. A JWT consists of three Base64URL-encoded sections separated by dots: header.payload.signature.
How to Decode a JWT — Step by Step
- Paste your JWT token into the left input pane.
- The token is automatically decoded as you type — no button press required.
- The Header section shows the signing algorithm (
alg) and token type (typ). - The Payload section lists all claims. Standard claims (
sub,iss,exp, etc.) are highlighted. Timestamp values are shown as both Unix epoch and human-readable date. - The expiry banner shows whether the token is currently active or expired, and how long until expiry (or how long ago it expired).
- Click Copy Payload JSON to copy the decoded payload for use in code or documentation.
- Use Explain with AI to get a plain-English breakdown of what the token represents.
JWT Structure — Header, Payload, Signature
- Header — A JSON object containing the token type (
typ: "JWT") and the signing algorithm (alge.g.HS256,RS256). Base64URL-encoded as the first segment. - Payload — A JSON object containing claims (statements about an entity). Base64URL-encoded as the second segment. Anyone can decode this — do not put secrets in the payload.
- Signature — Created by signing the encoded header + payload with a secret key or private key. Used to verify the token was not tampered with. Shown as the third segment (Base64URL).
Standard JWT Claims Reference
sub— Subject: the entity the token refers to (typically a user ID).iss— Issuer: the server or service that generated the token.aud— Audience: the intended recipient(s) — who should accept this token.exp— Expiry: Unix timestamp after which the token must be rejected.iat— Issued at: Unix timestamp when the token was generated.nbf— Not before: Unix timestamp before which the token must be rejected.jti— JWT ID: unique identifier for this token (used to prevent replay attacks).
JWT Signing Algorithms Explained
- HS256 / HS384 / HS512 — HMAC with SHA-2. Uses a shared secret key known to both issuer and verifier. Fast and simple — best for internal microservices where both sides share a secret.
- RS256 / RS384 / RS512 — RSA with SHA-2. Uses a private key to sign and a public key to verify. Best for scenarios where multiple services verify tokens without needing the signing key.
- ES256 / ES384 / ES512 — ECDSA with SHA-2. Elliptic curve variant of RSA — smaller key sizes, same security level. Preferred for modern APIs.
Security Note — What This Tool Does Not Do
This tool decodes the JWT — it does not verify the signature. Decoding only means reading the Base64URL-encoded content; any string can be decoded without knowing the secret key. Verification requires the secret or public key and confirms the token has not been tampered with. Never trust a decoded JWT in your application without verifying the signature server-side.
Tips & Tricks
- Auto-decode — the tool decodes as you type, so paste-and-glance works without clicking anything.
- Check the expiry banner first — a token with
expin the past is almost certainly your bug. The banner tells you exactly how long ago it expired. - Pretty-print the payload — once decoded, use the JSON Formatter on the copied payload for readability in your docs.
- Common JWT debugging — if your API rejects a token, decode it here and check: is
audright? Isissright? Is the clock skew < 30s? Most JWT failures are claim mismatches, not signature failures. - Inspect Auth0 / Cognito / Firebase tokens — they all use standard JWT format with extra custom claims. This tool reveals them all.
Related Tools
- JWT Generator — Create and sign JWTs with HS256/384/512, custom claims, and random secrets.
- Base64 Encoder / Decoder — JWTs use Base64URL encoding — decode any segment manually here.
- URL Encoder / Decoder — Encode and decode query strings and path segments used alongside JWTs.
- Regex Tester — Extract JWTs from log lines or HTTP headers with the JWT preset.
Is My Token Sent to a Server?
No. JWT decoding runs entirely in your browser using JavaScript's native atob for Base64URL and JSON.parse for the payload. Your token — and any sensitive claims inside it — never leaves your device. This is critical when debugging production auth tokens: posting a JWT to a third-party site that logs it could be a security incident.