JWT Decoder

Decode JSON Web Tokens (JWT) and view header, payload, and claims. Check expiration status and inspect token contents. All processing happens in your browser - your tokens never leave your device.

Privacy Notice: All JWT decoding happens in your browser. Your tokens are never sent to any server. Security Note: This tool does not verify signatures. Always verify JWTs server-side before trusting their contents.

How to Use the JWT Decoder

Decoding a JWT

  1. Paste your JWT token into the input field
  2. Click "Decode JWT"
  3. View the decoded header, payload, and signature
  4. Check expiration status and standard claims
  5. Review any custom claims in your token

Getting a JWT

JWTs are commonly found in:

  • HTTP Authorization headers: Bearer eyJhbGc...
  • Browser cookies or localStorage
  • API responses after authentication
  • OAuth 2.0 / OpenID Connect flows

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in modern web applications. A JWT consists of three parts: header, payload (claims), and signature, separated by dots.

JWT Structure Explained

Header

Contains metadata about the token, including the signing algorithm (e.g., HS256, RS256) and token type (typ: "JWT"). 

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (Claims)

Contains the claims - statements about the user and additional data. Claims can be registered (standard), public, or private (custom).

  • sub - Subject (user ID)
  • iss - Issuer (who created the token)
  • aud - Audience (intended recipient)
  • exp - Expiration time (Unix timestamp)
  • iat - Issued at (Unix timestamp)
  • nbf - Not before (Unix timestamp)

Signature

Created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA). The signature ensures the token hasn't been tampered with. Note: This tool does not verify signatures - verification requires the secret key and should only be done server-side.

Common Use Cases

For Developers

  • Debug authentication issues in web applications
  • Inspect JWT claims sent by identity providers (Auth0, Okta, etc.)
  • Verify token expiration times during development
  • Understand JWT structure and contents
  • Test API authentication flows

For Security Professionals

  • Analyze JWT tokens during security audits
  • Check for sensitive data exposure in claims
  • Verify proper token expiration settings
  • Inspect algorithm usage (alg header)
  • Review custom claims for security issues

For API Integration

  • Decode OAuth 2.0 access tokens
  • View ID tokens from OpenID Connect
  • Debug API authorization headers
  • Inspect service-to-service authentication tokens

Features

  • 100% Client-Side - All decoding happens in your browser using JavaScript
  • No Verification Needed - Decode tokens without requiring secret keys
  • Expiration Check - Instant notification if token is expired
  • Claims Display - Separate views for standard and custom claims
  • Human-Readable Dates - Automatic conversion of Unix timestamps
  • Privacy First - Your tokens never leave your browser
  • Copy-Paste Friendly - Easy to copy decoded JSON

Frequently Asked Questions

Is my JWT token safe?

Yes! All JWT decoding happens entirely in your browser using JavaScript. Your tokens never leave your device and are never sent to any server. However, remember that JWTs are not encrypted - anyone can decode them. Never put sensitive data in JWT payloads.

Why doesn't this tool verify signatures?

Signature verification requires the secret key (for HMAC) or public key (for RSA). For security reasons, secret keys should never be exposed client-side. JWT signature verification should always be done server-side where keys can be kept secure. This tool focuses on decoding and inspecting token contents only.

What's the difference between JWT and JWS/JWE?

JWT is the general term. JWS (JSON Web Signature) is a signed JWT, which is the most common type. JWE (JSON Web Encryption) is an encrypted JWT. This tool handles standard JWTs (which are typically JWS).

Can JWTs be used for session management?

Yes, JWTs are commonly used for stateless authentication. The server doesn't need to store session data - all necessary information is in the token. However, this means you can't easily revoke JWTs before they expire, so keep expiration times short and use refresh tokens for long-lived sessions.

What does "exp" claim mean?

The "exp" (expiration) claim is a Unix timestamp indicating when the token expires. After this time, the token should be considered invalid. This tool automatically checks if a token is expired and shows how much time remains until expiration.