JWT Decoder
Inspect JWT payloads
{"alg": "HS256","typ": "JWT"}
{"sub": "1234567890","name": "Ada Lovelace","admin": true,"iat": 1700000000,"exp": 9999999999}
| Claim | Meaning | Value | Human |
|---|---|---|---|
sub | Subject | 1234567890 | |
name | custom | Ada Lovelace | |
admin | custom | true | |
iat | Issued at | 1700000000 | Tue, 14 Nov 2023 22:13:20 GMT (2y ago) |
exp | Expiration | 9999999999 | Sat, 20 Nov 2286 17:46:39 GMT (264y from now) |
4Bp5w4p9RNy6pQMQkF2oHqgYZ1qjNMf7jQJ1oHbPEPsWhat is JWT Decoder?
Decode a JSON Web Token (JWT) and inspect its header and payload without sending the token anywhere. Signature verification is not performed (that requires the signing key) — but you see exactly what the token contains, including issuer, audience, expiry, and custom claims. Essential for debugging authentication flows, reviewing tokens during an integration, or understanding a third-party API's token format.
How do I use JWT Decoder?
- Paste the JWT (three Base64URL segments separated by dots) into the input.
- The header and payload decode live on the right.
- Expiry and issued-at timestamps are shown in human-readable form.
JWT Decoder by the numbers
- Supported algs
- HS256/384/512, RS256/384/512
- Verification
- Optional; key pasted locally
- Privacy
- Token never transmitted
- Claims parsing
- iat, exp, nbf auto-decoded
- Copy
- Header, payload, or whole token
Common use cases for JWT Decoder
- Debugging a 401 by checking whether a token is expired.
- Confirming a downstream service is reading the right "sub" claim.
- Demonstrating token contents to a teammate during a review.
- Verifying an RS256-signed token against a public key.
- Teaching the JWT structure in a workshop without exposing live tokens.
Common pitfalls and how to avoid them
- Verification fails with the right key — Check the alg header — HS* needs the shared secret, RS* needs the PEM public key. Copy-paste errors are the usual culprit.
- Token decodes but looks tampered — Remember: the header and payload are base64-encoded, not encrypted. Anyone with the token can read them — that is expected.
- Expiry shows the wrong time — exp is Unix seconds, not milliseconds. If you were comparing to Date.now() / 1000, divide correctly.
When should I use JWT Decoder?
JWT Decoder inspects tokens locally. To verify signatures, you need the server's public key — that's typically done in code, not via a tool. For generic Base64 decoding of things that aren't JWTs, use Base64 Decode.
Does the tool verify the JWT signature?
Only if you paste the public key / secret. Without it, the decoder shows the header and payload as-is (header and payload are base64-encoded, not encrypted) but marks the signature as "unverified".
Is it safe to paste real JWTs here?
Everything happens in your browser — the token never leaves your device. Still, avoid pasting production tokens into unfamiliar sites as a rule of thumb.
What algorithms are supported for verification?
HS256, HS384, HS512 (HMAC), and RS256, RS384, RS512 (RSA). ES256 / ES384 / ES512 are planned.
Is my file uploaded anywhere?
No. Everything runs in your browser. Your files never leave your device, and there is no server component for this tool.