Home/Dev Tools/JWT Decoder

JWT Decoder

ValidateConvert

Decode and inspect JWT tokens. View header, payload and expiry at a glance.

Input
Loading editor…
🪙

Paste a JWT token on the left and click Decode

— or click Sample to load an example —

✨ AI Code Explanation
Mode

What Is a JWT (JSON Web Token)?

A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit claims between two parties. JWTs are widely used for authentication — a server signs a token after login and the client sends it with every subsequent request. A JWT consists of three Base64URL-encoded sections separated by dots: header.payload.signature.

How to Decode a JWT — Step by Step

  1. Paste your JWT token into the left input pane.
  2. The token is automatically decoded as you type — no button press required.
  3. The Header section shows the signing algorithm (alg) and token type (typ).
  4. The Payload section lists all claims. Standard claims (sub, iss, exp, etc.) are highlighted. Timestamp values are shown as both Unix epoch and human-readable date.
  5. The expiry banner shows whether the token is currently active or expired, and how long until expiry (or how long ago it expired).
  6. Click Copy Payload JSON to copy the decoded payload for use in code or documentation.
  7. Use Explain with AI to get a plain-English breakdown of what the token represents.

JWT Structure — Header, Payload, Signature

  • Header — A JSON object containing the token type (typ: "JWT") and the signing algorithm (alg e.g. HS256, RS256). Base64URL-encoded as the first segment.
  • Payload — A JSON object containing claims (statements about an entity). Base64URL-encoded as the second segment. Anyone can decode this — do not put secrets in the payload.
  • Signature — Created by signing the encoded header + payload with a secret key or private key. Used to verify the token was not tampered with. Shown as the third segment (Base64URL).

Standard JWT Claims Reference

  • subSubject: the entity the token refers to (typically a user ID).
  • issIssuer: the server or service that generated the token.
  • audAudience: the intended recipient(s) — who should accept this token.
  • expExpiry: Unix timestamp after which the token must be rejected.
  • iatIssued at: Unix timestamp when the token was generated.
  • nbfNot before: Unix timestamp before which the token must be rejected.
  • jtiJWT ID: unique identifier for this token (used to prevent replay attacks).

JWT Signing Algorithms Explained

  • HS256 / HS384 / HS512 — HMAC with SHA-2. Uses a shared secret key known to both issuer and verifier. Fast and simple — best for internal microservices where both sides share a secret.
  • RS256 / RS384 / RS512 — RSA with SHA-2. Uses a private key to sign and a public key to verify. Best for scenarios where multiple services verify tokens without needing the signing key.
  • ES256 / ES384 / ES512 — ECDSA with SHA-2. Elliptic curve variant of RSA — smaller key sizes, same security level. Preferred for modern APIs.

Security Note — What This Tool Does Not Do

This tool decodes the JWT — it does not verify the signature. Decoding only means reading the Base64URL-encoded content; any string can be decoded without knowing the secret key. Verification requires the secret or public key and confirms the token has not been tampered with. Never trust a decoded JWT in your application without verifying the signature server-side.

Tips & Tricks

  • Auto-decode — the tool decodes as you type, so paste-and-glance works without clicking anything.
  • Check the expiry banner first — a token with exp in the past is almost certainly your bug. The banner tells you exactly how long ago it expired.
  • Pretty-print the payload — once decoded, use the JSON Formatter on the copied payload for readability in your docs.
  • Common JWT debugging — if your API rejects a token, decode it here and check: is aud right? Is iss right? Is the clock skew < 30s? Most JWT failures are claim mismatches, not signature failures.
  • Inspect Auth0 / Cognito / Firebase tokens — they all use standard JWT format with extra custom claims. This tool reveals them all.

Related Tools

  • JWT Generator — Create and sign JWTs with HS256/384/512, custom claims, and random secrets.
  • Base64 Encoder / Decoder — JWTs use Base64URL encoding — decode any segment manually here.
  • URL Encoder / Decoder — Encode and decode query strings and path segments used alongside JWTs.
  • Regex Tester — Extract JWTs from log lines or HTTP headers with the JWT preset.

Is My Token Sent to a Server?

No. JWT decoding runs entirely in your browser using JavaScript's native atob for Base64URL and JSON.parse for the payload. Your token — and any sensitive claims inside it — never leaves your device. This is critical when debugging production auth tokens: posting a JWT to a third-party site that logs it could be a security incident.