JWT Decoder
Decode and inspect JSON Web Tokens in your browser.
FAQ
- Is it safe to paste my token here?
- Yes — this tool runs entirely in your browser. Nothing is sent to a server. That said, avoid pasting production tokens from sensitive systems into any online tool as a habit.
- Why is the signature not verified?
- Verifying a JWT signature requires the secret key or public key, which only your server should have. Decoding the payload is safe and useful without it.
- What is a JWT?
- A JSON Web Token is a compact, URL-safe way to represent claims between two parties. It has three parts: header (algorithm), payload (claims), and signature.
- What does exp mean?
- The exp claim is a Unix timestamp indicating when the token expires. This tool shows the expiry status relative to your current time.
ABOUT THIS TOOL
Paste a JSON Web Token to decode its header, payload, and signature into readable JSON — entirely in your browser with no server involved. A JWT is three Base64url-encoded sections separated by dots: a header describing the signing algorithm, a payload containing claims like user ID, expiration (exp), and issuer, and a signature that proves the token wasn't tampered with. This tool decodes the header and payload so you can read the claims, but it does not verify the signature, since that requires the issuer's secret or public key, which you shouldn't paste into a random web tool anyway. Helpful for debugging authentication issues, inspecting token claims, or understanding what a JWT contains before wiring it into your app.
HOW TO USE
- Paste the full JWT string, including all three dot-separated parts, into the input field.
- View the decoded header on one side, showing the algorithm (like HS256 or RS256) and token type.
- View the decoded payload on the other side, showing claims like sub, iat, exp, and any custom fields.
- Check the exp (expiration) claim against the current time to see if the token has expired.
- Note that the signature section is shown but not cryptographically verified here.
- Copy individual claim values you need for debugging, or copy the full decoded JSON.
COMMON USE CASES
- A developer debugging a 401 Unauthorized error decodes the JWT their app is sending to check whether the expected claims and expiration are actually present.
- Someone integrating with an OAuth provider inspects an access token's payload to see what scopes and user info it actually contains.
- A backend engineer verifies that a token's exp claim is set to the expected lifetime after changing token issuance code.
- A security-conscious developer checks which signing algorithm (alg) a third-party token uses to confirm it isn't using the insecure "none" algorithm.
- A support engineer pastes a user-reported token to quickly see the user ID and role encoded inside it without querying the database.
TIPS & COMMON MISTAKES
- This tool decodes but does not verify the signature — a token could have a tampered payload and still "decode" fine, so never treat successful decoding here as proof the token is authentic.
- Never paste a real production JWT containing sensitive data into a third-party tool if you can avoid it; anyone can decode a JWT's header and payload without any secret, since only Base64url encoding protects them, not encryption.
- The exp and iat claims are Unix timestamps in seconds, not milliseconds — compare them against the current Unix time in seconds to check expiration correctly.
- Watch for the algorithm listed in the header; tokens signed with "none" or using a mismatched algorithm between issuance and verification are a well-known JWT security vulnerability.
MORE QUESTIONS
- Is a JWT encrypted?
- No, a standard JWT (JWS) is only signed and Base64url-encoded, not encrypted — anyone who has the token can read its header and payload; only encrypted JWTs (JWE) hide the payload content, and those are far less common.
- Why does this tool show the signature as invalid or unchecked?
- Verifying a signature requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256), neither of which you should paste into a browser tool you don't control, so this tool only decodes rather than verifies.
- Can I trust the claims in a JWT without verifying the signature?
- No — decoding shows you what the payload claims, but only signature verification against the correct key proves those claims haven't been altered since the token was issued.
- Why is my token's expiration date wrong?
- JWT exp and iat claims are Unix timestamps in seconds since the epoch, so if your decoding logic treats them as milliseconds (a common JavaScript Date mistake), the resulting date is off by a factor of 1000.