JWT Decoder

JWT Decoder illustration

Decode, inspect, and debug JSON Web Tokens — 100% in your browser.

lock Your token never leaves your browser. Zero server calls.
info This tool decodes JWTs — it does not verify signatures. Never trust a JWT without server-side signature verification.

How This JWT Decoder Works

A JSON Web Token consists of three base64url-encoded parts separated by dots: header.payload.signature. This tool splits the token, decodes each part, and presents the data in a readable format with claim explanations and expiration checking.

settings

Header

The signing algorithm (alg) and token type (typ). Common algorithms include HS256, RS256, and ES256.

data_object

Payload

The claims — data like user ID (sub), issuer (iss), expiration (exp), and any custom claims.

verified_user

Signature

The cryptographic signature used to verify the token's integrity (cannot be decoded without the key).

JWT Examples & Common Patterns

Explore these examples to understand different JWT structures. Click any example to decode it live.

Standard Auth Token 
Header:  { "alg": "HS256", "typ": "JWT" }
Payload: {
  "sub": "1234567890",
  "name": "Jane Developer",
  "email": "jane@example.com",
  "exp": <now+24h>
}
Expired with Roles 
Header:  { "alg": "RS256", "kid": "key" }
Payload: {
  "sub": "user_42",
  "roles": ["admin", "editor"],
  "scope": "read write",
  "exp": <now-1h>
}
Complex Nested Claims 
Header:  { "alg": "ES256" }
Payload: {
  "sub": "org:acme:user:12345",
  "permissions": [...],
  "org": { "id": "...", plan: "enterprise" }
}
Minimal Token 
Header:  { "alg": "HS256", "typ": "JWT" }
Payload: {
  "sub": "1"
}
Invalid Token Form 
not.a.valid-jwt-at-all!

Frequently Asked Questions

What is a JSON Web Token (JWT)? expand_more
A JWT is a compact, URL-safe token format defined by RFC 7519. It's widely used for authentication (login sessions), authorization (API access), and information exchange. A JWT contains a JSON header, a JSON payload with claims, and a cryptographic signature.
Is it safe to paste my JWT into this tool? expand_more
Yes. This tool runs 100% in your browser. Your token is never sent to any server — all decoding happens client-side using JavaScript. You can verify this by checking your browser's Network tab: you'll see zero requests when you decode a token.
Does this tool verify JWT signatures? expand_more
No. This tool decodes JWTs to inspect their contents. It does not verify signatures. Signature verification requires the signing key (secret or public key), which should never be shared with a client-side tool. Always verify signatures on your backend.
What do the standard JWT claims mean? expand_more
The standard (registered) claims are: iss (issuer — who created the token), sub (subject — usually a user ID), aud (audience — intended recipient), exp (expiration time), nbf (not before — earliest valid time), iat (issued at — creation time), and jti (JWT ID — unique identifier). This tool shows labels and descriptions for all of these.
How do I check if a JWT is expired? expand_more
Paste the JWT into this tool. It automatically reads the exp claim, converts it from a Unix timestamp to a human-readable date, and compares it to the current time. You'll see a green badge ("Valid for X") or a red badge ("Expired X ago") at the top of the results.