JWT Decoder

Paste a JWT token to decode the header, payload and claims β€” instantly in your browser.

Ad
Ad

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format widely used for authentication and information exchange. A JWT has three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims β€” data about the user or session), and the signature (used to verify the token hasn't been tampered with).

Standard payload claims include sub (subject β€” usually user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). This decoder shows all claims in a human-readable format and highlights whether the token has expired. Note: decoding a JWT does not verify its signature β€” that requires the secret key. Never trust decoded JWT claims for security decisions without verifying the signature server-side.

How to Use

  1. Paste a JWT token into the input field, or click ⚑ Sample to load an example.
  2. The header and payload are decoded and displayed with syntax highlighting.
  3. Standard claims (exp, iat, nbf) are shown in human-readable date format.
  4. Expiry status is shown β€” green if valid, red if expired.

Frequently Asked Questions

Technically yes β€” this tool runs entirely in your browser and sends nothing to any server. However, JWTs often contain sensitive user information (user IDs, roles, email addresses) and should be treated with care. If the JWT is a bearer token granting access to a live system, rotating it after using any online decoder is good practice, just as you would after accidentally committing it to a public repo.

No β€” signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA), which only your server should have. This decoder only decodes and displays the header and payload. The signature portion is shown as-is. If you need to verify signatures, use your server-side JWT library (e.g. jsonwebtoken in Node.js, PyJWT in Python).

No. All decoding happens entirely in your browser. Your JWT is never sent to any server.
πŸ”’Hash GeneratorGenerate MD5, SHA-1, SHA-256 and SHA-512 πŸ”€Base64 EncoderEncode and decode Base64 strings πŸ“‹JSON FormatterFormat and validate JSON with tree view ⏱️Timestamp ConverterConvert Unix timestamps to dates πŸ”—URL EncoderEncode and decode URLs πŸ”€Escape / UnescapeEscape HTML, URL, JS and more
Ad