JWT Decoder & Inspector
Decode and inspect JSON Web Tokens (JWT). View header, payload, and signature.
Paste a JWT and see its three parts — header, payload, signature — parsed into readable JSON. Human-readable timestamps for iat, exp, and nbf, so you can immediately tell whether a token is expired or not yet valid. Works with any signing algorithm (HS256, RS256, ES256, and friends). Tokens never leave your browser — everything is decoded locally.
A JSON Web Token has three parts separated by dots: a base64url-encoded header, a base64url-encoded payload, and a signature. The header says which algorithm signs the token. The payload carries claims like sub (subject), exp (expiration), iat (issued-at), aud (audience), and any custom fields your app defines. The signature lets the receiver verify that the token wasn't tampered with — but only if they have the signing key.
Decoding is not verification. A JWT's payload is readable by anyone who has the token — it's not encrypted, just encoded. Think of it as tamper-evident, not private. Never put passwords, secrets, or sensitive PII in a JWT payload. If you need confidentiality, use JWE (JSON Web Encryption) instead.
The most common JWT bugs involve time. exp is a Unix timestamp in seconds (not milliseconds), and clock drift between servers can cause tokens to appear expired on one side but valid on another. This decoder shows absolute timestamps in your local timezone plus a human-readable duration, so you can spot expiration issues at a glance.
- 1
Paste the token
Drop the full token string into the input. It should look like xxxxx.yyyyy.zzzzz — three base64url segments separated by dots.
- 2
Review the header
The header shows the signing algorithm (alg) and token type (typ). If you see 'alg: none', reject the token — that's a classic JWT vulnerability.
- 3
Inspect the payload claims
Standard claims like iss, sub, aud, exp, nbf, and iat are shown with human-readable timestamps. Custom claims appear as-is.
- 4
Verify expiration
The decoder tells you whether the token is currently valid, expired, or not-yet-valid based on the exp and nbf claims in your local clock.
Debugging auth failures
When an API returns 401, paste the token to see whether it's expired, has the wrong audience, or is missing a required scope.
API integration work
Inspect tokens issued by OAuth providers (Auth0, Okta, Cognito) to understand what claims they set and what your code can rely on.
Reverse-engineering token flows
When working with an unfamiliar API, decode sample tokens to learn how the issuer structures claims.
Security review
Check whether an issued JWT carries too much information, uses a weak algorithm (HS256 with a guessable secret), or lacks proper expiration.
Does this verify the signature?
No. This tool only decodes the header and payload. Verifying the signature requires the signing key, which you should never paste into a web tool. Do signature verification in your backend or with a trusted library.
Is my token sent to a server?
No. Everything happens in your browser. The decoder parses the token locally using base64url decoding and JSON.parse. Nothing is logged or transmitted.
Why does my token show an 'invalid' error?
JWTs must have exactly three base64url-encoded segments separated by dots. If you copied a trimmed token, a URL-encoded version, or a token missing its signature, decoding will fail. Check that you have all three dot-separated parts.
What's the difference between JWT, JWS, and JWE?
JWS (JSON Web Signature) is a signed token — the common case. JWE (JSON Web Encryption) is an encrypted token whose payload isn't readable without the decryption key. 'JWT' usually means JWS in practice. This tool decodes JWS tokens.
Can I see what a JWT with alg 'none' looks like?
Yes — the decoder will show its payload, but you should treat any real-world 'alg: none' token as suspicious. Properly implemented JWT libraries reject them, but older or misconfigured libraries have been exploited to accept unsigned tokens.