{ JWT Decoder }

// decode and inspect JSON Web Tokens in the browser

Decode and inspect JWT tokens instantly in the browser. View header, payload, and signature — with expiry status, claims validation, and HMAC verification. Free, no signup.

// PASTE JWT TOKEN

HOW TO USE

  1. 01
    Paste your JWT

    Paste any JWT token — the three base64url-encoded parts separated by dots. The token decodes instantly and the header, payload, and signature are shown.

  2. 02
    Inspect claims

    Standard claims like exp, iat, sub, and aud are explained with descriptions and human-readable timestamps. The token lifetime is shown on a visual timeline.

  3. 03
    Verify signature (optional)

    Enter the HMAC secret key to verify the signature. The result shows valid ✓ or invalid ✗ in real time. Supports HS256, HS384, and HS512.

FEATURES

Instant Decode Expiry Check HMAC Verify Claims Inspector Token Timeline Color-coded Parts No Server Upload Free & No Signup

USE CASES

  • 🔧 Inspect tokens from authentication flows during debugging
  • 🔧 Verify token expiry before making API calls
  • 🔧 Check user roles and permissions encoded in claims
  • 🔧 Validate HMAC signatures during API integration testing

WHAT IS THIS?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and data transfer. It consists of three base64url-encoded parts separated by dots: a header describing the algorithm, a payload containing claims, and a signature for verification. This tool decodes all three parts entirely in your browser — no token data is sent anywhere.

RELATED TOOLS

🔢 Base64 Encode 📋 JSON Formatter 📘 JSON to TypeScript 🔗 URL Encoder 🔒 Hash Generator

FREQUENTLY ASKED QUESTIONS

Is it safe to paste my JWT here?

Yes. All decoding and verification happens entirely in your browser using JavaScript — no token data is sent to any server, stored, or logged anywhere. This is guaranteed by the browser-only architecture: there is no network request made when you paste a token. For extra caution, use short-lived or already-expired tokens when testing tools like this.

What does decoding a JWT reveal?

Decoding reveals the header (algorithm and token type) and the payload (claims — user ID, roles, expiry, issuer, etc.). The payload is only base64url-encoded, not encrypted, so anyone who has the token can read its contents. This is why JWTs should never contain sensitive data like passwords. The signature ensures the token hasn't been tampered with, but does not hide the payload.

Why can't I verify RS256/RS384/RS512 tokens here?

RSA signature verification requires the public key in PEM format and the Web Crypto API. HMAC (HS256/384/512) verification is supported because it only requires the shared secret. RSA public key verification is planned for a future update. For now, you can paste the public key in PEM format to perform the verification client-side.

What is the difference between iat, nbf, and exp?

iat (Issued At) is the Unix timestamp when the token was created. nbf (Not Before) is the earliest time the token is valid — useful for tokens that should not be usable immediately after issuance. exp (Expiration Time) is when the token becomes invalid. All three are Unix timestamps (seconds since Jan 1 1970 UTC).

What does "base64" checkbox do on the secret field?

Some JWT libraries accept the HMAC secret as a base64-encoded string rather than a raw string. When this checkbox is enabled, the secret you enter is first decoded from base64 before being used for signature verification. If your secret is a plain string like mysecret, leave the checkbox off. If it's a base64 string like bXlzZWNyZXQ=, check it.

Why does my token show as expired?

A JWT is considered expired when the current time is past the value in the exp claim. The expiry check in this tool uses your browser's local clock. If a token shows as unexpectedly expired, verify your system clock is accurate. Note that tokens issued with short lifetimes (like 15-minute access tokens) expire quickly by design.

JWT Decoder — Inspect JSON Web Tokens Safely in the Browser

JSON Web Tokens are the de facto standard for stateless authentication on the web. When debugging authentication flows, the first tool a developer reaches for is a JWT decoder — a way to see what claims are encoded in a token, whether it has expired, and whether its signature is valid. This tool provides all three functions without sending your token anywhere.

Understanding JWT Structure

A JWT consists of three dot-separated base64url-encoded strings. The header specifies the algorithm (alg) used to sign the token — typically HS256 for HMAC-SHA256 or RS256 for RSA. The payload contains the claims — registered claims like sub, exp, and iat, plus any custom application claims. The signature is computed over the header and payload using the algorithm and key, allowing the receiver to verify the token hasn't been tampered with.

Standard JWT Claims