JWT Decoder

Developer Tools

Decode JSON Web Tokens to inspect the header, payload, and expiry. Signature is intentionally not verified — only the issuer can do that.

Runs entirely in your browser

This tool only decodes the JWT — it does notverify the signature. Never trust a JWT's claims based on decoding alone; verify the signature server-side with your secret or public key.

JWT token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Ada Lovelace",
  "iat": 1716164399,
  "exp": 1716250799
}

iat: 5/20/2024, 12:19:59 AMexp: 5/21/2024, 12:19:59 AM (expired)

Signature (not verified)

Mn0K6XKDLLrPlOhvUWPxNT8u9pX6_y7e2cqMxYhwHB0

This token expired on 5/21/2024, 12:19:59 AM.

Loading tool...

About JWT Decoder

The JWT Decoder splits a token at its dots, Base64URL-decodes the header and payload, and shows them as readable JSON. It also highlights the standard time claims (`iat`, `exp`) in human-readable form and warns when a token has expired.

A crucial design choice: this tool does not verify the signature. JWT verification requires the issuing key (an HMAC secret or a public key) and must happen on the server side that owns the token. Verifying client-side gives you no security guarantees — anyone can replace the signature. The decoder is for inspection and debugging only, which is exactly what most engineers need: confirm the `sub`, the `exp`, custom claims, or that the `alg` matches what your service expects. It uses the `jose` library and runs entirely in your browser, so tokens never leave your machine.

How to use

1
Paste the JWT
Drop the token (header.payload.signature) into the textarea. Decoding happens as you type.
2
Review the header
Confirm the algorithm (`alg`) and token type (`typ`).
3
Review the payload
Standard claims: `iss` (issuer), `sub` (subject), `aud` (audience), `iat` (issued at), `exp` (expiry). The decoded UI shows iat/exp as local timestamps.
4
Check the expiry warning
If the token has expired (`exp` < now), a warning banner appears under the payload.

Examples

A typical access token

Header identifies the algorithm; payload carries claims about the subject.

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSIsImlhdCI6MTcxNjE2NDM5OSwiZXhwIjoxNzE2MjUwNzk5fQ.signature_here

Output

Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"1234567890","name":"Ada","iat":1716164399,"exp":1716250799}
iat: May 19, 2024, 4:13 PM
exp: May 20, 2024, 4:13 PM

Frequently asked questions

Why doesn't this verify the signature?+

Verification requires the issuer's secret or public key. Verifying client-side would mean trusting a key delivered to the browser — which gives no security. JWT verification must happen on the server that owns the token.

Is it safe to paste a real token?+

The decoding happens entirely in your browser; the token is never sent to a server. That said, treat any access token like a password — close the tab when you're done.

What algorithms can it decode?+

Any JWT regardless of signing algorithm (HS256, RS256, ES256, etc.). Decoding inspects the parts; it doesn't run cryptographic verification.

How do I know if a token is expired?+

The decoder shows iat and exp as human dates, and posts a yellow warning banner if exp is before the current local time.

What's the structure of a JWT?+

Three Base64URL-encoded parts separated by dots: header.payload.signature. Header and payload are JSON; signature is the cryptographic proof.

JSON Formatter

Format, beautify, and explore JSON with an expandable tree view. Includes indent control and minify.

JSON Validator

Validate JSON structure and pinpoint syntax errors by line and column.

HTML Formatter

Clean and indent messy HTML for better readability.

CSS Formatter

Format and organize CSS automatically with configurable brace and indent styles.

SQL Formatter

Beautify SQL queries with proper indentation across Postgres, MySQL, SQLite, and MSSQL dialects.

XML Formatter

Format XML into a clean, readable structure with attribute control.