JWT Decoder

Used 8,400 times

Paste a JSON Web Token to decode its header, payload, and claims. Expiry is checked against the current time. Runs entirely in your browser — nothing is sent to a server.

JWT Token0 chars

Latest Security articles

Hash Generator Online – MD5, SHA256 Tool Guide
Learn how cryptographic hash functions work, when to use MD5 vs SHA-256, and how to generate and verify hashes instantly in your browser — no install required.
HMAC SHA-256 Generator – Sign and Verify Webhook Payloads
Learn how HMAC-SHA256 signatures work, how to generate and verify them for webhook security, and why HMAC provides authenticity guarantees that plain SHA-256 cannot.
JWT Audience Claim Validator – Lock Down Resource Access
Learn how to validate the JWT aud claim to prevent tokens from being accepted by unintended services. Decode and inspect audience claims without exposing private keys.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token defined in RFC 7519. It consists of three Base64URL-encoded sections separated by dots: header.payload.signature. The header declares the algorithm; the payload carries claims (user ID, roles, expiry); the signature lets the server verify the token was not tampered with. JWTs are widely used in OAuth 2.0, OpenID Connect, and API authentication.

How to Use

Paste a JWT (the full xxxxx.yyyyy.zzzzz string) into the input.
The header and payload are decoded and pretty-printed immediately.
If the payload contains exp, the tool checks it against the current time and shows whether the token is expired.
Timestamps in iat, exp, and nbf are converted to human-readable UTC.

Common Issues

Token expired — The exp claim is in the past. Request a new token from your auth server.
Wrong number of segments — A valid JWT has exactly two dots. Truncated or malformed tokens will fail to decode.
Invalid Base64URL padding — Some systems incorrectly add standard Base64 padding (=) or swap +/ for -_. Strip padding before decoding.
Signature not verified here — This tool decodes only. Signature verification requires the secret or public key and must happen server-side.

FAQs

Is it safe to paste my JWT here?

Decoding runs entirely in your browser — nothing is sent to a server. That said, treat JWTs as credentials: avoid pasting production tokens into any online tool unless you are certain of the environment.

Can this tool verify the signature?

No. Signature verification requires the signing secret or RSA/EC public key, which you should never share with a third-party tool. Use your backend or a trusted library (e.g. jsonwebtoken, python-jose) to verify signatures.

What algorithms do JWTs support?

Common algorithms: HS256 (HMAC-SHA256, symmetric), RS256 (RSA-SHA256, asymmetric), and ES256 (ECDSA-SHA256). The algorithm is declared in the header's alg field.