JWT Decoder

Paste any JSON Web Token to decode its header and payload. See claims, expiry time, and issuer at a glance. Signature verification requires the secret — this tool decodes only. Nothing leaves your browser.

Developer Tools

🔄XML to JSON 🔄JSON to XML ✨JSON Formatter ✅JSON Validator 📋XML Validator 🔐Base64 Encode/Decode 🗄️SQL Formatter 📝Markdown Preview ⚙️C# to VB.NET 🪙JWT Decoder 🕐Timestamp Converter 🔑Hash Generator 🔍Regex Tester 🔢Number Base Converter 🌐HTML Formatter 🎨CSS Minifier ⏱️Cron Parser 🎨RGB/HEX/HSL Converter

JWT Token

What This Tool Does

Decodes JWT (JSON Web Token) strings and displays the header, payload, and signature sections in readable JSON — entirely in your browser. Private keys are never sent anywhere.

Who This Is For

Backend developers inspecting tokens during authentication debugging sessions
Security engineers auditing token claims, expiry times, and signing algorithms
API integration developers verifying that tokens contain the expected scopes and user data
Learners who want to understand the structure of JWTs without writing decode code

Example: Input: A JWT string like eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ... → Output: Three decoded JSON sections: Header (algorithm and type), Payload (claims like sub, exp, iat), and Signature status

What Is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe string used to securely transmit claims between two parties. It is the dominant authentication mechanism for REST APIs, single-page applications, and microservices. When you log in to a web app, the server typically returns a JWT — your browser stores it and sends it with every subsequent request to prove your identity.

A JWT has three parts separated by dots:

Header — base64url-encoded JSON declaring the token type (JWT) and signing algorithm (HS256, RS256, etc.)
Payload — base64url-encoded JSON containing the claims: user ID, email, roles, expiry time, issuer.
Signature — a cryptographic signature that proves the token was issued by a trusted party and has not been tampered with.

How to Decode and Inspect a JWT

Paste your JWT into the input field — it looks like three base64url strings joined by dots.
The header and payload are decoded and displayed immediately.
Check the exp claim to see when the token expires (shown as a human-readable date).
Check the alg field in the header — ensure it is not none, which would mean no signature verification.
Look at the payload claims: sub (subject / user ID), iss (issuer), aud (audience), iat (issued at), exp (expires).

This tool decodes the token client-side only — the JWT never leaves your browser. This is important for security: never paste production tokens into online tools that make server requests.

Standard JWT Claims Reference

Claim	Full Name	Description
`sub`	Subject	The user or entity the token refers to. Usually a user ID.
`iss`	Issuer	Who issued the token. Usually a URL like `https://auth.example.com`.
`aud`	Audience	Who the token is intended for. Should be validated by the receiver.
`exp`	Expiration	Unix timestamp. Token is invalid after this time.
`iat`	Issued At	Unix timestamp when the token was issued.
`nbf`	Not Before	Token is invalid before this Unix timestamp.
`jti`	JWT ID	Unique identifier for this token. Used to prevent replay attacks.

Any additional fields in the payload are custom claims — role, email, permissions, tenant, etc. These are application-defined.

Common JWT Debugging Scenarios

401 Unauthorized on every request — decode the token and check exp. If it is in the past, the token has expired and needs to be refreshed.
Wrong user permissions — check the roles or permissions claims in the payload. The token may have been issued before a permission change.
Signature verification failing — check alg in the header. An alg: none token has no signature and should be rejected by any secure server.
Token issued for wrong audience — check aud claim. Tokens from one service should not be accepted by another service without explicit validation.
Clock skew errors — if the server rejects a freshly issued token, there may be a clock difference between services. The nbf and exp claims use absolute timestamps.

Authentication and Security Workflow

JWT decoding is part of a broader authentication debugging workflow:

Format the decoded JSON payload for readable inspection
Validate the JSON structure of the payload
Decode Base64url segments — JWT parts are Base64url-encoded strings
Generate HMAC hashes to understand the JWT signing process
Convert the exp and iat timestamps from Unix epoch to readable dates

Related Tools

Analyzing JWT claims in bulk? Export the payload JSON to CSV for spreadsheet analysis. → export JWT claims data to CSV
Got many JWT payloads to audit? Decode each and export the claims JSON to CSV. → export decoded claims to a spreadsheet
Writing authentication documentation? Convert your Markdown JWT guide to HTML. → document JWT authentication flows
Passing a JWT token as a URL parameter? URL-encode it to handle the periods and equals signs safely. → URL-encode JWT tokens for HTTP requests
Migrating JWT parsing code from VB.NET to C#? Use the VB.NET to C# Converter. → convert VB.NET JWT parsing to C#

Related Guides

Guide

JWT Authentication Explained: How Tokens Work in Modern APIs

How JWTs are issued, validated, and refreshed — with a walkthrough of the header, payload, and signature.

Tutorial

Decoding and Debugging JWTs: A Developer's Checklist

Common JWT issues in production: expired tokens, wrong audience, clock skew, and algorithm confusion.

Guide

Base64 Encoding Explained: When and Why Developers Use It

JWTs use Base64URL encoding under the hood — understand the encoding that powers modern auth.

Frequently Asked Questions

Is it safe to paste my JWT here?▼

This tool decodes JWTs entirely in your browser using JavaScript — nothing is sent to any server. However, as a best practice, never paste production access tokens or tokens containing sensitive user data into any online tool. Use test tokens or anonymized examples when debugging.

Can a JWT be tampered with?▼

The payload can be base64-decoded and read by anyone — JWTs are not encrypted by default. However, the signature prevents tampering: any change to the header or payload invalidates the signature, and the server will reject the modified token. For confidential payloads, use JWE (JSON Web Encryption) instead.

What does the alg: none vulnerability mean?▼

Some early JWT libraries accepted tokens with "alg": "none" — meaning no signature — treating them as valid. An attacker could forge any token. Modern libraries reject alg: none. Per RFC 8725, servers should specify allowed algorithms explicitly and never accept none.

How long should a JWT last?▼

Access tokens should expire quickly — 15 minutes is a common recommendation. Use refresh tokens (longer-lived, stored securely) to obtain new access tokens. Short expiry limits the damage if a token is stolen.

What is the difference between HS256 and RS256?▼

HS256 uses a shared secret — both the issuer and verifier use the same key. RS256 uses an asymmetric key pair: the issuer signs with a private key; verifiers check with the public key. RS256 is preferred in distributed systems because the public key can be shared freely without compromising security.

How do I decode a JWT in code?▼

In JavaScript: JSON.parse(atob(token.split(".")[1].replace(/-/g,"+").replace(/_/g,"/"))) decodes the payload. In Python: import base64, json; json.loads(base64.b64decode(payload + "==")). For production, use a JWT library like jsonwebtoken (Node) or PyJWT (Python) that also verifies the signature.