JWT Decoder
Decode and inspect JWT (JSON Web Token) header, payload and signature without a secret.
What Is a JWT Token?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information as a compact, URL-safe string. JWTs are widely used in authentication and authorization systems — issued by identity providers and sent with API requests to prove identity or grant access.
A JWT consists of three Base64URL-encoded parts separated by dots:
- Header — Declares the token type (
JWT) and signing algorithm (e.g.HS256,RS256). - Payload — Contains claims: registered (
sub,iss,exp,iat), public, and private data. - Signature — Ensures the token hasn't been tampered with. Requires the secret or private key to verify.
Because the header and payload are only Base64URL-encoded (not encrypted), their contents can be read by anyone — never store sensitive data in a JWT payload unless it is additionally encrypted (JWE).
How to Use the JWT Decoder
- Paste your full JWT string into the text area above.
- Click Decode JWT — the tool instantly splits and decodes the header and payload into readable, syntax-highlighted JSON.
- Review the Claims Summary panel to see key claims like subject, issuer, issued-at, expiry, and audience at a glance.
- Check the expiry status badge to quickly know if the token is still valid or has expired.
- Optionally, enter your HMAC secret key and click Verify to confirm the signature is authentic (supports HS256, HS384, HS512).
- Use the Copy buttons to copy decoded header or payload JSON to your clipboard.
Common Use Cases
Inspect tokens from login flows, OAuth providers, or API responses to diagnose auth failures.
Instantly see if a token is expired, and when it was issued or when it expires.
Verify your backend is embedding the correct claims and algorithms during development.
Confirm HMAC-signed tokens haven't been tampered with using your shared secret.
Understand how JWTs work by inspecting real tokens from OAuth 2.0, OpenID Connect, or your own API.
Check that tokens use strong algorithms (RS256, ES256) and don't use the insecure alg: none.
Frequently Asked Questions
Is it safe to paste my JWT here?
All decoding happens entirely in your browser using JavaScript — no data is sent to any server. That said, treat production JWTs as sensitive credentials. If a token grants access to important resources, consider revoking it after inspection and avoid pasting live session tokens into any online tool.
Can this tool decode any JWT?
Yes — the header and payload of any valid JWT can be decoded without a secret, because they are Base64URL-encoded, not encrypted. The tool will display all claims regardless of the signing algorithm used (HS256, RS256, ES256, etc.).
Why can't I verify RS256 or ES256 signatures here?
Asymmetric algorithms (RS256, RS384, RS512, ES256, etc.) use a public/private key pair. Verification requires the public key in PEM or JWKS format. This tool currently supports HMAC (symmetric) signature verification for HS256, HS384, and HS512. Full asymmetric verification may be added in a future update.
What does the expiry status check?
The tool reads the exp (expiration time) claim from the payload, which is a Unix timestamp (seconds since epoch). It compares this to your local system clock. If exp is in the past, the token is marked Expired. If it's in the future, it's Valid. If no exp claim exists, the token has no expiry.
What is the difference between a JWT and a JWE?
A standard JWT (also called JWS — JSON Web Signature) has a signed but readable payload. A JWE (JSON Web Encryption) has an encrypted payload that cannot be read without the decryption key. JWEs typically have 5 parts instead of 3. This tool decodes JWS-format tokens only.
What are common JWT claims?
Standard registered claims include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Applications typically also include custom private claims like email, roles, or permissions.
