Decode and inspect any JWT token. View header, payload claims, and expiry status. No secret required. Runs 100% in your browser.
Paste a JWT token above to decode it
Share this tool
Found it useful? Help a fellow developer discover it.
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. A JWT consists of three Base64url-encoded segments separated by dots: header.payload.signature. The header declares the token type and signing algorithm. The payload carries claims, which are statements about the subject (user ID, roles, expiry time, issuer, etc.). The signature proves the token was issued by a trusted party and has not been tampered with. JWTs are used pervasively in OAuth 2.0, OpenID Connect, and API authentication flows. Decoding a JWT to inspect its claims requires only Base64url decoding. No secret key is needed. Verifying the signature, however, requires the original secret or public key.
localStorage, a network request header, or your auth library) and paste it into the input field.exp, iat, sub, etc.).| Claim | Full name | Description |
|---|---|---|
| iss | Issuer | The principal that issued the token, e.g. https://accounts.google.com |
| sub | Subject | The entity the token represents, typically a user ID |
| aud | Audience | The intended recipients of the token, e.g. your API domain |
| exp | Expiration Time | Unix timestamp after which the token must not be accepted |
| nbf | Not Before | Unix timestamp before which the token must not be accepted |
| iat | Issued At | Unix timestamp when the token was issued |
| jti | JWT ID | Unique identifier for the token, used to prevent replay attacks |
Paste the JWT into the input field and the tool decodes it instantly. A JWT is three Base64url-encoded segments separated by dots. This tool splits them, decodes each segment, and displays the header and payload as formatted JSON. No secret key is required for decoding. You only need a secret to verify the signature.
A session cookie stores a session ID on the client and the actual session data lives on the server. On every request, the server looks up the session ID in a database or cache. A JWT stores all the claims directly in the token itself. The server can verify the token and read the claims without a database round-trip, making JWTs well-suited for distributed and stateless architectures.
Yes. This tool runs entirely in your browser. Your JWT is never sent to any server. All Base64url decoding and JSON parsing happens locally in JavaScript. As a general habit, avoid pasting live production tokens into any online tool. Use them only in trusted, browser-local environments like this one.
No. Decoding a JWT only requires Base64url decoding and needs no secret. Verifying the signature requires the original HMAC secret (for HS256/HS512) or the public key (for RS256/ES256). This tool shows the signature bytes but cannot verify authenticity. Use the JWT Generator tool for signing and verification.
RFC 7519 defines several registered claim names: iss (Issuer), sub (Subject), aud (Audience), exp (Expiration Time), nbf (Not Before), iat (Issued At), and jti (JWT ID). All other claims in the payload are private or public claims defined by the application.
The exp claim is a Unix timestamp (seconds since January 1, 1970 UTC). If the current time is past that value, the token is expired. Many JWTs have short lifetimes (15 minutes for access tokens). If you are debugging a production issue with an expired token, the timestamp shown will help you understand when the token was valid.
Common values for the alg header claim: HS256, HS384, HS512 (HMAC with SHA-2, symmetric), RS256, RS384, RS512 (RSA with SHA-2, asymmetric), ES256, ES384, ES512 (ECDSA, asymmetric), and none (no signature). The alg none variant is a known security risk and should be rejected by properly configured libraries.
Yes. All standards-compliant JWTs from any provider follow the same header.payload.signature format. Paste the token and this tool will decode the header and payload regardless of the issuer or platform.
JWT Generator & Verifier
Generate and verify JWT tokens with HS256 or RS256 signing.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any string.
Base64 Encoder / Decoder
Encode or decode Base64 strings instantly. Supports standard and URL-safe variants.
HTTP Status Codes
Complete HTTP status code reference with descriptions. Search and filter all 1xx, 2xx, 3xx, 4xx, and 5xx codes.