JWT Decoder

Paste a JSON Web Token to instantly decode its header, payload and claims. Everything runs in your browser โ€” your token never leaves your device.

JWT Decoder ยท 100% client-side ยท No server uploads
Invalid JWT format
Header Algorithm & token type
Payload Claims & data
Signature
Signature verification requires your secret key and cannot be done client-side securely. This tool decodes only โ€” do not trust unsigned tokens in production.

How to Decode a JWT Token Online

JWT (JSON Web Token) is a compact, URL-safe format for transmitting claims between parties. A JWT consists of three Base64URL-encoded segments โ€” header, payload, and signature โ€” separated by dots.

What each section contains

  • Header โ€” Algorithm (alg) and token type (typ), e.g., HS256 and JWT
  • Payload โ€” Claims such as sub (subject), iss (issuer), exp (expiry), and any custom fields your app adds
  • Signature โ€” A cryptographic hash used to verify the token has not been tampered with
  • Expiry status โ€” Automatically checked against current UTC time using the exp claim

Why use this tool?

Paste any JWT and instantly see a colour-coded breakdown of every claim. The tool checks the exp timestamp automatically, so you can tell at a glance whether a token is still valid โ€” no manual Base64 decoding required.

FAQ

Is my JWT token sent to any server?

No. All decoding happens entirely in your browser using JavaScript. Your token never leaves your device and is never transmitted anywhere.

Can this tool verify JWT signatures?

No. Signature verification requires your secret key or public key and cannot be done securely in a browser. This tool decodes (Base64URL-decodes) the header and payload only.

What JWT claims does this tool display?

Standard claims such as sub (Subject), iss (Issuer), exp (Expires), iat (Issued At), nbf (Not Before), aud (Audience), and jti (JWT ID) are shown with friendly labels. All custom claims are also displayed.

How do I check if a JWT has expired?

Paste your token and look at the Payload section. The tool automatically reads the exp claim and shows whether the token is valid or expired, with the time remaining or how long ago it expired.

Which JWT algorithms can this tool decode?

All common JWT algorithms including HS256, HS384, HS512, RS256, RS384, RS512, ES256, and others are supported for decoding. The header alg field shows which algorithm was used to sign the token.

Related Tools

JSON Formatter

Pretty-print and validate JSON

Hash Generator

MD5, SHA-1, SHA-256, SHA-512

Base64 Encoder

Encode and decode Base64

Unit Converter

Length, weight, volume, temp

Resize Image

Change dimensions of any image