JWT Decoder

Paste a JSON Web Token to decode its header, payload, and signature instantly. Inspect claims, check expiration, and debug authentication tokens without sending data to a server.

Embed this tool
Valid FormatAlgorithm: HS256

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Claims

ClaimValueDescription
sub1234567890Subject
nameJohn DoeCustom claim
iat1516239022 (1/18/2018, 5:30:22 AM)Issued At
HEADER (Base64URL)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
PAYLOAD (Base64URL)
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
SIGNATURE
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Advertisement

Ad

Inspect JWTs Without Leaving Your Browser

JSON Web Tokens are everywhere in modern web development. They carry identity and permission information between browsers, APIs, and identity providers. Because JWTs are just Base64URL-encoded JSON, their contents are not meant to be secret, but they are meant to be tamper-proof. A decoder helps you see exactly what is inside so you can debug flows, verify claims, and spot mistakes during development.

What This Tool Does

The JWT Decoder splits a token into its three parts and renders each one in readable JSON. It displays the header algorithms, the payload claims, and the raw signature segment. When the payload contains an exp claim, the tool also calculates whether the token is expired and how much time remains. All decoding happens locally in your browser, so no token data is transmitted, logged, or stored.

How to Use It

  1. Paste a complete JWT into the input area.
  2. Confirm the format badge shows “Valid Format” (three dot-separated segments).
  3. Review the decoded header, payload, and signature blocks.
  4. Check the claims table for expiration, issuer, subject, audience, and custom fields.
  5. Use the expiration badge to see whether the token is still active.

Common Use Cases

API debugging is the most frequent use case. When an authenticated request fails, developers paste the bearer token into a decoder to confirm the user ID, scopes, and expiration before looking at server-side logic.

Single sign-on troubleshooting becomes easier when you can inspect identity tokens from providers like Auth0, Okta, or Firebase. You can verify that the issuer, audience, and claims match your application configuration.

Token generation testing helps backend developers confirm that the tokens their services produce contain the expected fields and timestamps before they are consumed by clients.

Security reviews use decoders to audit what information an application exposes in tokens. If a token contains unexpected personal data or overly broad scopes, it can be flagged for remediation.

Worked Example

A typical JWT looks like a long string of characters separated by two dots, such as header.payload.signature. When decoded, the header might reveal {"alg":"HS256","typ":"JWT"}, indicating the token was signed with HMAC-SHA-256. The payload could contain {"sub":"user_42","name":"Ada","iat":1516239022,"exp":1516242622}, showing the subject, name, issued time, and expiration. The signature is a hash that validates integrity but cannot be verified without the issuer key.

If the current time is before the exp value, the tool displays “Expires in X minutes.” Once the expiration timestamp passes, the badge switches to “Expired,” which is a quick signal that the token should be refreshed or rejected.

Tips for Working with JWTs

  • Always verify the signature on your server before trusting token claims.
  • Keep tokens short-lived and rotate signing keys regularly.
  • Never include passwords or sensitive personal data in the payload.
  • Use HTTPS so tokens cannot be intercepted in transit.
  • Store tokens securely in your client and clear them on logout.
  • Check the audience (aud) and issuer (iss) claims to prevent cross-service replay.

Frequently Asked Questions

A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It is commonly used for authentication and authorization in web applications, APIs, and single sign-on systems. Decoding a JWT lets you inspect the header and payload to understand the token issuer, expiration, user roles, and custom claims without sending the token anywhere.

Related Tools