🔐 JWT Decoder

Paste any JSON Web Token to instantly decode and inspect the header, payload, and signature. Highlights expiry status and common claims. Your token never leaves your browser.

Header & Payload Expiry Check Token Stays Local
⚠️ Privacy reminder: This tool processes your JWT entirely in-browser. Nothing is transmitted. Still, avoid pasting production tokens with sensitive payloads into online tools — use this for debugging and development.

FAQ

What is a JWT?

A JWT (JSON Web Token) is a compact, URL-safe token format for transmitting claims between parties. It has three Base64URL-encoded parts separated by dots: Header (algorithm + type), Payload (claims), and Signature. Used widely for API authentication and stateless session tokens.

Does this tool verify the signature?

No — signature verification requires the secret or public key. This tool only decodes the Base64URL-encoded header and payload. It shows whether the token appears expired based on the exp claim, but cannot confirm authenticity without the key.

Is it safe to paste my JWT here?

This tool decodes your token entirely in the browser — nothing is sent to any server. However, as a general rule, avoid sharing production tokens with sensitive payloads in any online tool. Use this for development and debugging.

What are common JWT claims?

sub (subject), iss (issuer), aud (audience), exp (expiration time), iat (issued at), nbf (not before), jti (JWT ID). Custom claims can be anything your application defines.

What does "algorithm: HS256" mean?

HS256 means the token is signed with HMAC-SHA256 using a shared secret. RS256 uses RSA with a private/public key pair. ES256 uses ECDSA. The algorithm is stored in the JWT header so the receiver knows how to verify the signature.