JWT Decoder
Paste a JSON Web Token to decode its header, payload, and signature instantly. Inspect claims, check expiration, and debug authentication tokens without sending data to a server.
Embed this toolHeader
{
"alg": "HS256",
"typ": "JWT"
}Payload
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}Signature
Claims
| Claim | Value | Description |
|---|---|---|
| sub | 1234567890 | Subject |
| name | John Doe | Custom claim |
| iat | 1516239022 (1/18/2018, 5:30:22 AM) | Issued At |
Advertisement
Inspect JWTs Without Leaving Your Browser
JSON Web Tokens are everywhere in modern web development. They carry identity and permission information between browsers, APIs, and identity providers. Because JWTs are just Base64URL-encoded JSON, their contents are not meant to be secret, but they are meant to be tamper-proof. A decoder helps you see exactly what is inside so you can debug flows, verify claims, and spot mistakes during development.
What This Tool Does
The JWT Decoder splits a token into its three parts and renders each one in readable JSON. It displays the header algorithms, the payload claims, and the raw signature segment. When the payload contains an exp claim, the tool also calculates whether the token is expired and how much time remains. All decoding happens locally in your browser, so no token data is transmitted, logged, or stored.
How to Use It
- Paste a complete JWT into the input area.
- Confirm the format badge shows “Valid Format” (three dot-separated segments).
- Review the decoded header, payload, and signature blocks.
- Check the claims table for expiration, issuer, subject, audience, and custom fields.
- Use the expiration badge to see whether the token is still active.
Common Use Cases
API debugging is the most frequent use case. When an authenticated request fails, developers paste the bearer token into a decoder to confirm the user ID, scopes, and expiration before looking at server-side logic.
Single sign-on troubleshooting becomes easier when you can inspect identity tokens from providers like Auth0, Okta, or Firebase. You can verify that the issuer, audience, and claims match your application configuration.
Token generation testing helps backend developers confirm that the tokens their services produce contain the expected fields and timestamps before they are consumed by clients.
Security reviews use decoders to audit what information an application exposes in tokens. If a token contains unexpected personal data or overly broad scopes, it can be flagged for remediation.
Worked Example
A typical JWT looks like a long string of characters separated by two dots, such as header.payload.signature. When decoded, the header might reveal {"alg":"HS256","typ":"JWT"}, indicating the token was signed with HMAC-SHA-256. The payload could contain {"sub":"user_42","name":"Ada","iat":1516239022,"exp":1516242622}, showing the subject, name, issued time, and expiration. The signature is a hash that validates integrity but cannot be verified without the issuer key.
If the current time is before the exp value, the tool displays “Expires in X minutes.” Once the expiration timestamp passes, the badge switches to “Expired,” which is a quick signal that the token should be refreshed or rejected.
Tips for Working with JWTs
- Always verify the signature on your server before trusting token claims.
- Keep tokens short-lived and rotate signing keys regularly.
- Never include passwords or sensitive personal data in the payload.
- Use HTTPS so tokens cannot be intercepted in transit.
- Store tokens securely in your client and clear them on logout.
- Check the audience (
aud) and issuer (iss) claims to prevent cross-service replay.