JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and signature without needing the secret key.

JWT Token

1. Paste your complete JSON Web Token (the long string starting with "eyJ") into the input field. 2. The decoder instantly splits the token into its three parts: header, payload, and signature. 3. Review the decoded header to see the signing algorithm and token type. 4. Examine the payload claims including subject, issuer, expiration time, and custom data fields. 5. Check the expiration status indicator to see whether the token is still valid or has expired. 6. Click copy on any decoded section to use the parsed JSON in your debugging workflow.

About This Tool

The JWT Decoder breaks down JSON Web Tokens into their three components - header, payload, and signature - presenting each in a formatted, readable view. Simply paste a JWT and instantly see the decoded algorithm, claims, expiration time, and all embedded data.

JWTs are the standard for authentication and authorization in modern web applications. Understanding their contents is essential for debugging auth flows, verifying token claims, checking expiration times, and ensuring the right scopes and permissions are included. This tool decodes the token without requiring the secret key, since the header and payload are only Base64URL encoded, not encrypted.

The tool also validates the token structure, highlights expired tokens, displays timestamps in human-readable format, and provides warnings about common security concerns like the "none" algorithm or excessively long expiration periods.

Frequently Asked Questions

This tool decodes and displays the JWT contents but does not verify the signature, as that requires the secret key or public key. It is designed for inspecting token contents during development and debugging, not for production signature verification.

Yes. All decoding happens entirely in your browser - the token is never sent to any server. However, you should still avoid sharing JWTs from production environments unnecessarily, as they may contain sensitive claims.

Common JWT claims include sub (subject/user ID), exp (expiration time), iat (issued at), iss (issuer), aud (audience), roles, permissions, and custom application-specific data. The header specifies the signing algorithm.

The tool compares the exp (expiration) claim against the current time. If the expiration timestamp is in the past, the token is marked as expired. This is one of the most common reasons authentication fails in applications.

The most common algorithms are HS256 (HMAC with SHA-256, using a shared secret), RS256 (RSA with SHA-256, using public/private key pairs), and ES256 (ECDSA with SHA-256). The algorithm is specified in the JWT header.

Related Tools

Base64 Encode and Decode

Encode text or images to Base64 and decode Base64 strings back to their original format.

Developer Tools

JSON Formatter and Validator

Format, validate, and beautify JSON data with syntax highlighting, tree view, and error detection.

Developer Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text input using the Web Crypto API.

Developer Tools

Unix Timestamp Converter

Convert Unix timestamps to human-readable dates and dates back to Unix timestamps instantly.

Developer Tools

Basic Auth Generator

Generate Base64-encoded Basic Authentication headers from username and password credentials.

Security and Encryption