JWT Decoder

Decode and inspect JWT tokens. View header, payload, and signature without any server calls.

JWT Token

Advanced — 0 min skew · Local timezone

Token Analysis

Clock skew (minutes)

Date display

Verify signature (HMAC secret or RSA/EC public key PEM)

What is JWT Decoder?

A JWT decoder inspects JSON Web Tokens—the compact, URL-safe format used for authentication and authorization in APIs and single sign-on. JWTs have three Base64url-encoded parts separated by dots: header (algorithm and type), payload (claims like sub, exp, iat, iss), and signature. This tool decodes and displays all three as readable JSON without verifying the signature, so you can inspect what a token contains.

Developers use JWT decoders to debug auth flows, verify claim structure, check expiration times, and troubleshoot "token invalid" errors. When an API returns 401, decoding the token reveals whether it's expired, missing claims, or using an unexpected algorithm. The tool also flags security risks such as alg: none (signature bypass) or missing exp (token never expires). All decoding runs entirely in your browser—your token never leaves your device.

How to Use JWT Decoder

Paste your JWT token (the full eyJ... string) into the input box. Remove any surrounding quotes or whitespace.
Click Decode or press Ctrl+Enter. The header, payload, and signature appear as formatted JSON.
Review the Header for algorithm (alg) and token type (typ).
Review the Payload for claims: sub (subject), exp (expiration), iat (issued at), iss (issuer), and any custom claims.
Check the stats for expiry status ("Valid", "Expired", "No expiry") and issued-at date. Heed any security risk warnings.
Use Advanced to set clock skew (for expiry tolerance), timezone for date display, or verify the signature with an HMAC secret (HS256/384/512).
Click Copy All or Save to export the decoded JSON.

Tips & Best Practices

Use Use Sample to load a demo token and see the output format. Clock skew helps when server and client clocks differ—add a few minutes to avoid false "expired" results. For HMAC-signed tokens, you can verify the signature in Advanced by entering the secret. The tool does not support RSA/EC verification in the browser. Never paste production tokens with sensitive data into unknown sites; this tool runs locally, but always exercise caution. Press Ctrl+Shift+C to copy and Esc to clear.

When to Use This Tool

Use the JWT Decoder when debugging authentication errors, inspecting API tokens, or verifying claim structure before implementing token validation. It's ideal for developers integrating OAuth, OpenID Connect, or custom JWT-based auth. For related tasks: use the Base64 encoder to manually decode JWT segments, the Unix timestamp converter to convert exp and iat values, or the UUID generator when creating unique jti (JWT ID) claims.

Frequently Asked Questions

What is a JWT token?

A JSON Web Token (JWT) is a compact format for securely transmitting claims between parties. It has three parts: header (algorithm), payload (claims like sub, exp), and signature.

How do I decode a JWT?

Paste your JWT into the input box and click Decode. The tool splits and decodes the header and payload, showing them as readable JSON. The signature is displayed but not verified.

Is it safe to decode JWTs online?

This tool runs entirely in your browser. Your token never leaves your device. Never paste production secrets or tokens with sensitive data into unknown sites.

What are JWT claims?

Claims are key-value pairs in the payload. Common ones: sub (subject), iat (issued at), exp (expiration), iss (issuer). The decoder shows all claims in the payload section.

Can I verify JWT signature?

This tool decodes and displays the header, payload, and signature but does not verify the signature. For full verification you need the secret key. For Base64 encoding, try our Base64 encoder.