JWT Decoder - Decode & Verify JSON Web Tokens Online

Decode JWT tokens instantly. Inspect header, payload, and signature with timestamp interpretation. Generate and verify JWTs. Free, fast, and 100% client-side.

Decode JWT Tokens Instantly in Your Browser

Decode and inspect JWT (JSON Web Token) structures instantly—all in your browser with zero server uploads. Paste any JWT to see its header, payload, and signature broken down with pretty-printed JSON, automatic timestamp interpretation, and expiration status. Perfect for debugging authentication flows, inspecting API tokens, and understanding JWT structure.

All processing happens client-side for complete privacy. Your tokens never leave your device.

How JWT Decoding Works

Paste your JWT token into the decoder, and it instantly:

Splits the token into three Base64URL-encoded parts (header.payload.signature)
Decodes each section and displays formatted JSON
Interprets timestamps - Converts exp, iat, nbf to human-readable dates
Shows expiration status - Visual indicators for active/expired tokens
Displays all claims - Standard and custom JWT claims with descriptions

Example JWT Structure:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decodes to:

Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}
Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Complete JWT Decoder Features

Decoding Features

Instant JWT Decoding: Real-time token breakdown as you paste
Three-Part Analysis: Separate display of header, payload, and signature
Pretty-Printed JSON: Formatted, syntax-highlighted output for readability
Automatic Base64URL Decoding: Handles JWT’s Base64URL encoding automatically
File Upload Support: Upload .txt or .jwt files containing tokens
Drag & Drop: Quick token input via file drag-and-drop
Large Token Support: Handles tokens of any size
Error Validation: Detects invalid JWT format instantly
Multi-Line Input: Accepts tokens with or without whitespace

Claim Interpretation Features

Timestamp Interpretation: Auto-converts Unix timestamps to human-readable dates
Expiration Status: Visual indicator for expired/active tokens
Standard Claim Recognition: Identifies exp, iat, nbf, iss, sub, aud, jti
Claim Descriptions: Helpful tooltips explaining each standard claim
Time Remaining: Shows time until expiration for active tokens
Time Since Issuance: Displays how long ago the token was created
Timezone Support: Shows timestamps in local timezone
Custom Claim Display: Shows all claims, not just standard ones
Copy Decoded Sections: Copy header, payload, or signature individually
Download as JSON: Save decoded parts as JSON file
One-Click Clear: Reset all inputs and outputs
Toast Notifications: Success/error feedback for all actions

Common Use Cases for JWT Decoder

Debugging Authentication & APIs

Decode tokens from API responses during development
Inspect authentication headers from backend services
Verify token structure matches expected format
Check claim values during integration testing
Debug OAuth/OIDC authentication flows
Validate third-party JWT tokens
Troubleshoot authorization issues
Compare token versions for consistency

Token Analysis

Extract user information from payload claims
Check token expiration times and validity periods
Identify token issuer (iss) and audience (aud)
Analyze custom claims in application tokens
Verify algorithm and signing methods
Understand token lifetime and refresh needs
Inspect role-based access control claims

Development & Testing

Learn JWT structure and format
Understand standard JWT claims
See how Base64URL encoding works
Explore different signing algorithms
Practice JWT creation concepts
Verify backend token generation
Test authentication flows

Security Analysis

Inspect tokens for sensitive data exposure
Verify signature algorithms are secure (not “none”)
Check for appropriate expiration times
Validate token structure for security best practices
Identify potential security issues in JWTs
Ensure tokens don’t contain PII unnecessarily
Audit token implementation

Generate & Verify JWTs (Advanced Features)

Beyond decoding, our tool includes powerful token generation and verification capabilities:

Token Generation

Create custom JWTs for testing and development:

Algorithm Selection: HS256, HS384, HS512, RS256, RS384, RS512
Custom Claims: Add any payload claims you need
Standard Claims: Quick templates for exp, iat, nbf with date pickers
Secret Key Input: Provide your own HMAC signing keys
Auto-Signing: Tokens are automatically signed
Copy & Download: Export generated tokens instantly

Perfect for creating test tokens, API development, and authentication testing.

JWT Signature Verification

Verify token authenticity and integrity:

Signature Validation: Verify tokens with secret/public keys
Algorithm Checking: Ensures header algorithm matches
Expiration Validation: Checks if token is still valid
Not-Before Validation: Confirms token is currently active
Visual Status Indicators: Clear valid/invalid feedback
Detailed Error Messages: Understand why verification failed

Essential for validating tokens in development and ensuring authentication security.

What is a JWT (JSON Web Token)?

A JWT (JSON Web Token) is a compact, URL-safe token used for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications, APIs, and microservices.

JWT Structure (Three Parts)

Every JWT consists of three Base64URL-encoded parts separated by dots (.):

Format: header.payload.signature

Header - Contains token metadata
- Token type: Always “JWT”
- Signing algorithm: HS256, RS256, ES256, etc.
- Example: {"alg":"HS256","typ":"JWT"}
Payload - Contains the claims (data)
- User information
- Expiration time
- Issuer, audience, and other metadata
- Custom application data
- Example: {"sub":"user123","name":"John Doe","exp":1735689600}
Signature - Ensures data integrity
- Prevents tampering
- Verifies token authenticity
- Created using header, payload, and secret key
- Validates the token hasn’t been modified

Standard JWT Claims Explained

JWTs use registered claim names for common fields:

exp (Expiration Time) - Unix timestamp when token expires
iat (Issued At) - Unix timestamp when token was created
nbf (Not Before) - Unix timestamp before which token is invalid
iss (Issuer) - Who created and signed the token
sub (Subject) - The user or entity the token represents
aud (Audience) - Who the token is intended for
jti (JWT ID) - Unique identifier for the token

These standard claims help systems understand token lifecycle, validity, and purpose.

JWT Algorithms Supported

Our decoder handles all common JWT signing algorithms:

HMAC Algorithms: HS256, HS384, HS512 (symmetric key signing)
RSA Algorithms: RS256, RS384, RS512 (asymmetric key signing)
ECDSA Algorithms: ES256, ES384, ES512 (elliptic curve signing)

The algorithm specified in the header determines how the signature is created and verified.

Security & Privacy Guaranteed

100% Client-Side Processing - Your JWTs never leave your browser.

This JWT decoder runs entirely in your browser using JavaScript. Your tokens are never sent to any server, ensuring complete privacy and security. All decoding, generation, and verification happens locally on your device.

Why Client-Side Matters

Zero Data Transmission: Tokens stay on your device
No Logging: We don’t store or track any tokens
No Analytics: Your usage is completely private
Offline Capable: Works without internet after page load
No Registration: Free to use, no account required
Open Source: Transparent, auditable codebase

Security Best Practices for JWTs

When working with JWTs, follow these security guidelines:

Never share decoded tokens publicly - They may contain sensitive information
Don’t commit JWTs to version control - Use environment variables
Use strong secret keys - Random, long keys for HMAC algorithms
Avoid sensitive data in payloads - JWTs are encoded, not encrypted
Set appropriate expiration times - Short-lived tokens are more secure
Always use HTTPS - Prevents token interception during transmission
Implement token refresh - Rotate tokens regularly
Validate signatures server-side - Never trust client-side validation alone
Check token algorithms - Prevent “none” algorithm attacks
Monitor for token leaks - Implement detection and revocation

Frequently Asked Questions

Is this tool safe to use with sensitive JWTs?

Yes. All decoding and processing happens locally in your browser using JavaScript. No data is transmitted to any server, and we don’t log or store any information. However, avoid sharing decoded tokens publicly as they may contain sensitive user information or application secrets.

Can this tool verify JWT signatures?

Yes! Our tool supports signature verification for HMAC (HS256/HS384/HS512) and RSA (RS256/RS384/RS512) algorithms. Provide the secret key or public key to verify the token’s authenticity and ensure it hasn’t been tampered with. Verification confirms the signature matches the header and payload.

What JWT algorithms are supported?

This decoder supports all common JWT algorithms:

HMAC: HS256, HS384, HS512 (symmetric signing with secret keys)
RSA: RS256, RS384, RS512 (asymmetric signing with private/public keys)
ECDSA: ES256, ES384, ES512 (elliptic curve signing)

You can decode tokens signed with any algorithm. Signature verification is available for HMAC and RSA variants when you provide the appropriate key.

Can I generate new JWTs with this tool?

Yes! Switch to “Generate” mode to create new JWTs with:

Custom payload claims
Standard claims (exp, iat, nbf) with date pickers
Your choice of signing algorithm
Custom secret keys

This is perfect for testing authentication flows, creating tokens for API development, or generating sample JWTs for learning purposes.

Why does my token show as expired?

The tool checks the exp (expiration) claim in the payload. If the expiration timestamp is in the past, the token is considered expired. This is normal for:

Old tokens from previous sessions
Short-lived access tokens (often 15-60 minutes)
Test tokens with intentionally short lifetimes

Expired tokens should be refreshed using your application’s token refresh mechanism.

What’s the difference between decoding and verifying?

Decoding extracts and displays the header and payload from the JWT without checking authenticity. It simply Base64URL-decodes each part to show you what’s inside.

Verifying validates the signature to ensure:

The token was signed with the expected secret/private key
The token hasn’t been modified or tampered with
The signature matches the header and payload

Always verify signatures on the server side for security-critical applications.

Can I use this tool offline?

Yes! Once the page loads, no internet connection is needed. All JWT operations (decoding, generating, verifying) run client-side in your browser. Your data is processed locally and never sent to any server, ensuring complete privacy even offline.

What should I do if I see “Invalid JWT format”?

This error means the token doesn’t match the expected JWT structure. Common causes:

Incomplete token: Ensure you’ve copied all three parts (header.payload.signature)
Extra whitespace: Remove line breaks or spaces added by email/messaging apps
Partial copy: JWTs can be long—make sure you copied the entire string
Not a JWT: The string might be a different token format (JWE, PASETO, etc.)

Valid JWTs contain exactly two dots (.) separating three Base64URL-encoded segments.

How do I get the secret key for verification?

The secret key is defined when the JWT is created on your server. To find it:

Check your server’s JWT configuration/environment variables
Look for JWT_SECRET, SECRET_KEY, or similar in your codebase
Consult your authentication service documentation
Ask your backend team if you didn’t create the tokens

Security warning: Never expose or share secret keys publicly. Keys should only be used in secure environments.

Can this tool decode encrypted JWTs (JWE)?

Currently, this tool focuses on signed JWTs (JWS format). Encrypted JWTs (JWE - JSON Web Encryption) have a different structure with five parts instead of three:

JWS: header.payload.signature (3 parts)
JWE: header.encryptedKey.iv.ciphertext.tag (5 parts)

JWE tokens require decryption before the payload can be read. Decryption support may be added in future updates.

Are JWTs secure for storing passwords?

No. Never store passwords or highly sensitive secrets in JWTs. JWTs are encoded, not encrypted - anyone can decode them and read the contents. Use JWTs for:

User identifiers
Roles and permissions
Non-sensitive user metadata
Token expiration info

For sensitive data, use proper encryption (AES, RSA) and store only references or encrypted values in JWTs.