Is it safe to paste my JWT into this tool?

Yes. The tool runs entirely in your browser and never sends your token to any server. However, as a best practice, avoid pasting production tokens into any tool on shared or untrusted devices.

Can this tool verify the JWT signature?

The tool can verify HMAC (HS256/HS384/HS512) signatures if you provide the shared secret, and RSA/ECDSA signatures if you provide the public key. Without the key, it decodes the token but cannot confirm its authenticity.

What does 'token expired' mean?

The 'exp' claim in a JWT indicates when the token becomes invalid. If the current time exceeds this value, the token is expired and should no longer be accepted by servers. The tool compares 'exp' against your local system clock.

Why does my JWT have no signature?

If the header's 'alg' field is set to 'none', the JWT is unsigned. Unsigned tokens should never be trusted in production because anyone can forge them. This is typically used only in development or testing environments.

JWT Decoder

Decode and inspect JSON Web Tokens to view their header, payload claims, and signature details. Verify expiration and structure without any server call.

JWT Token

How to Use

1
Paste your full JWT (header.payload.signature) into the input field.
2
View the decoded header to inspect the signing algorithm and token type.
3
Review the payload claims including subject, issuer, expiration, and custom data.
4
Check the expiration badge to see if the token is still valid.
5
Optionally provide a secret or public key to verify the token's signature.
6
Copy individual decoded sections for use in your debugging workflow.

Frequently Asked Questions

About JWT Decoder

What is JWT Decoder?

The JWT Decoder is a free, browser-based tool that parses JSON Web Tokens (JWTs) as defined by RFC 7519 and displays their constituent parts — the header, payload, and signature — in a readable, color-coded format. JWTs are the backbone of modern authentication and authorization systems, used by OAuth 2.0, OpenID Connect, and countless API platforms to securely transmit claims between parties. A JWT consists of three Base64URL-encoded segments separated by dots. This tool decodes each segment, pretty-prints the JSON, highlights registered claims like 'exp' (expiration), 'iat' (issued at), and 'sub' (subject), and converts Unix timestamps to human-readable dates so you can quickly assess whether a token is still valid.

Why Use JWT Decoder?

Debugging authentication issues often starts with inspecting the token. Is it expired? Does it contain the right scopes? Is the audience claim correct? Manually decoding Base64URL strings and converting epoch timestamps is slow and error-prone. This tool gives you a complete token breakdown in one click. Unlike server-based JWT decoders, this tool processes everything locally in your browser, ensuring that sensitive access tokens, refresh tokens, and ID tokens are never transmitted over the network. It is indispensable for backend developers building auth flows, frontend developers handling token storage, and QA engineers verifying token claims during testing.

How to Use

Paste the complete JWT string (all three dot-separated parts) into the input field. The tool instantly decodes the header and payload, displaying the algorithm (e.g., RS256, HS256), token type, issuer, subject, audience, expiration, and all custom claims. Timestamps are shown in both Unix epoch and local date-time format. If the token is expired, a prominent warning badge appears. You can also paste just the header or payload segment if you only need to decode a specific part. For signature verification, provide the signing secret (HMAC) or public key (RSA/ECDSA) in the optional verification panel.

Example Usage

You are troubleshooting a 401 Unauthorized error from your API. Paste the JWT from the Authorization header: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTYxNjIzOTAyMn0.signature. The decoder reveals that the 'exp' claim is 1616239022 (March 20, 2021), confirming the token expired years ago. The 'admin' claim is set to true, which you can verify against your expected authorization rules. The header shows RS256, telling you the API uses RSA asymmetric signing.

Benefits

Instant, client-side decoding keeps your tokens confidential. Human-readable timestamp conversion eliminates manual epoch math. Color-coded sections make it easy to distinguish header, payload, and signature at a glance. Expiration warnings catch stale tokens immediately. Support for all standard algorithms (HS256, RS256, ES256, etc.) means you can inspect tokens from any identity provider.

Related Tools

Text & Dev Tools

JSON Formatter & Validator

Format, beautify, and validate JSON data instantly. Detect syntax errors, fix indentation, and explore nested structures with a clean tree view.

Text & Dev Tools

Base64 Encode / Decode

Encode text or files to Base64 and decode Base64 strings back to their original form. Supports UTF-8, binary files, and data URIs.

Text & Dev Tools

URL Encode / Decode

Percent-encode and decode URL components to ensure safe transmission of special characters in query strings, paths, and fragments.

Text & Dev Tools

Regex Tester

Write, test, and debug regular expressions in real time. See matches highlighted, capture groups extracted, and get plain-English explanations of your pattern.