Skip to content
Security · Authentication

JWT Decoder

Paste a JWT to instantly decode its header, payload, and signature. Inspect registered claims with descriptions, check expiry status, and verify signatures with HMAC secrets or public keys. Runs entirely in your browser; nothing is transmitted.

In-browser only Web Crypto API RFC 7519
All decoding runs in your browser — no token data is ever transmitted.

Guide

How to Use

  1. 1
    Paste your JWT

    Copy a JWT from your application, API response, or browser DevTools and paste it into the input field. Decoding starts automatically after a short pause.

  2. 2
    Inspect the decoded panels

    The header and payload appear as formatted JSON with syntax highlighting. Hover over registered claim keys (iss, sub, exp…) to see their RFC 7519 descriptions.

  3. 3
    Check expiry and validity

    A coloured badge in the payload panel shows whether the token is still valid, has expired, or is not yet active (based on exp and nbf claims).

  4. 4
    Verify the signature

    Open the Verify Signature panel, choose HMAC Secret, PEM Public Key, or JWK, enter your key, and click Verify to confirm the signature cryptographically.

  5. 5
    Copy decoded data

    Use the Copy button in each panel to put the decoded header or payload JSON on your clipboard, or copy a plain-text token summary.

Reference

JWT Structure Explained

JWT Structure Explained
PartContentsEncoding
HeaderBase64URL-encoded JSON specifying the token type (typ) and signing algorithm (alg). Always the first segment.Base64URL
PayloadBase64URL-encoded JSON containing the claims — assertions about the subject plus any custom data.Base64URL
SignatureThe cryptographic signature over header.payload, using the algorithm declared in the header. Proves the token has not been tampered with.Base64URL

Frequently Asked Questions

What is a JWT?
A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe token format consisting of three Base64URL-encoded segments separated by dots: header, payload, and signature. It is commonly used for authentication and information exchange in web APIs.
Is it safe to paste my JWT into this tool?
Yes. All decoding and verification happens entirely in your browser using built-in Web APIs. No data is sent to any server — you can open your browser’s Network tab and confirm that zero requests are made when you paste a token.
What does "alg: none" mean?
An algorithm value of "none" means the token carries no cryptographic signature. Any server that accepts such a token without verifying the signature is vulnerable to a critical security flaw. This decoder flags the condition with an amber warning badge.
Why does the expiry badge show "Expired" even though the token still works?
Token expiry is checked against your local device clock. If your device clock is ahead of the server’s, a token the server considers valid may appear expired here. Conversely, a token the server has rejected may look valid locally.
Which signature algorithms are supported for verification?
HMAC (HS256, HS384, HS512), RSA PKCS#1 v1.5 (RS256, RS384, RS512), ECDSA (ES256, ES384, ES512), and RSA-PSS (PS256, PS384, PS512). Tokens with alg: none cannot be verified.
Can I decode a JWT that was created with a different library?
Yes. JWT decoding only requires Base64URL-decoding and JSON parsing — it is entirely standard and interoperable. Any valid JWT from any library or language will decode correctly here.
What is the difference between decoding and verifying a JWT?
Decoding reads the contents of the token by reversing the Base64URL encoding — anyone can do this without knowing the secret key. Verifying cryptographically proves that the token was signed by the holder of the private key (or HMAC secret), confirming its authenticity and integrity.
Can I use this tool offline?
Yes. Once the page has loaded, decoding, expiry checks, and signature verification all work with no network connection.