Hashing & Crypto

JWT Decoder

Inspect JSON Web Tokens (JWT) to understand their contents. Decode any JWT into its three constituent parts: header (algorithm and token type), payload (claims and data), and signature. View timestamps in human-readable format and verify token structure. Useful for debugging authentication flows, understanding API tokens, and verifying JWT claims during development.

JavaScript Required

This tool requires JavaScript to run. Please enable JavaScript in your browser settings to use JWT Decoder.

Why JavaScript? This tool processes your files entirely in your browser using WebAssembly — nothing is uploaded to servers. This privacy-first approach requires JavaScript to be enabled.

What does this tool do?

The JWT Decoder parses and displays the contents of JSON Web Tokens without verifying the signature (which requires the issuer's public key). It splits the three dot-separated base64url-encoded components, decodes each to JSON, and presents them in a readable format. Standard JWT claims (expiry, issued-at, not-before) are highlighted with human-readable timestamps. The tool validates JWT structure and reports malformed tokens with specific error information.

How it works

A JWT consists of three parts separated by dots: header.payload.signature. Each part is base64url encoded (URL-safe base64). The tool splits on dots, decodes each part using base64url decoding (converting - to +, _ to /, adding padding), and parses as JSON. The header typically contains alg (algorithm) and typ (type). The payload contains claims like sub (subject), iss (issuer), exp (expiration), iat (issued at). The signature is shown as base64 without verification. Timestamps are converted to local and UTC display.

Features

Decodes header, payload, and signature sections
Pretty-prints decoded JSON
Highlights expiry (exp), issued-at (iat), not-before (nbf) with human-readable times
Detects malformed JWTs with helpful error messages
100% client-side — your token never leaves browser
Validates standard JWT structure
Copy decoded sections individually

How to use

1

Paste your JWT

Enter a token (format: eyJ...xxxxx.yyyyy.zzzzz). Three dot-separated parts. Most JWTs start with 'eyJ' in base64url.
2

Review decoded sections

Header shows algorithm (HS256, RS256, etc.) and type. Payload shows all claims and data. Signature is displayed as base64.
3

Check timestamps

exp (expiry), iat (issued at), nbf (not before) are shown as both Unix timestamps and human-readable dates with relative time.
4

Verify structure

If the JWT is malformed, you'll see a specific error indicating which part failed to decode or parse.

Common use cases

Debug authentication issues

Inspect JWTs from OAuth flows, SSO systems, or custom auth to verify claims, check expiration, and debug token validation failures.

API development

Decode tokens your API receives to understand their structure, verify the claims you're checking, and debug authorization logic.

Learn JWT structure

Examine real JWTs to understand how they're constructed, what standard claims look like, and how different algorithms are specified.

Token expiration monitoring

Quickly check when a token expires without writing code, useful for manual API testing with tokens that have limited lifetimes.

Tips & best practices

This tool decodes only — it does NOT verify signatures. Anyone can create a JWT with any payload. For security, your application must verify the signature using the issuer's public key
exp (expiration) is in Unix seconds. If exp is in the past, the token is expired and should be rejected
Common algorithms: HS256 (HMAC with SHA-256, symmetric), RS256 (RSA signature, asymmetric), ES256 (ECDSA signature)
Never trust the contents of an unverified JWT for security decisions — always verify the signature cryptographically

Frequently asked questions

Does this verify the signature?

No. Signature verification requires the issuer's public key (for RS256/ES256) or secret key (for HS256). This tool only decodes and displays. It cannot cryptographically verify the token is authentic.

Is my token logged?

No. Decoding happens entirely in your browser via JavaScript. The token is never sent to any server or logged anywhere.

What are exp, iat, nbf?

Standard JWT time claims: exp = expiration time (token invalid after), iat = issued at (when created), nbf = not before (token invalid before). All in Unix seconds since epoch.

Why does my JWT fail to decode?

Common issues: missing dots (not a JWT), invalid base64url characters, malformed JSON in payload. Check that you copied the complete token including all three parts.