JWT Decoder

What is JWT Decoder?

JWT Decoder is a free online tool for decoding and inspecting JWT (JSON Web Token) tokens. It decodes the header and payload, displays token claims like expiration time, issuer, and subject, and shows the signature. Perfect for debugging authentication tokens, inspecting API tokens, or learning about JWT structure.

Whether you're debugging authentication issues, inspecting API responses, or learning about JWTs, this tool makes it easy to decode and understand token contents.

How to use JWT Decoder?

Decode a JWT Token

To decode a JWT:

1. Paste your JWT token in the input field
2. View decoded content automatically displayed in tabs
3. Check token information like expiration, issuer, subject
4. Copy decoded JSON using the copy button

Understanding JWT Parts

JWT consists of 3 parts separated by dots (.):

• Header: Token type and signing algorithm
• Payload: Claims and user data
• Signature: Cryptographic signature for verification

Features

• Instant decoding - Decode JWT as you paste
• Three-part display - View header, payload, and signature separately
• Token information - See expiration, issuer, subject, and more
• Expiration check - Automatic validation of token expiry
• Pretty JSON - Formatted JSON output for readability
• Copy to clipboard - Copy decoded parts easily
• Raw values - View base64-encoded raw values
• Dark theme support - Works in light and dark modes
• Client-side only - Your tokens never leave your browser

Use Cases

1. Debug Authentication Tokens

Inspect JWT from login responses:

Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

2. Check Token Expiration

See if your token is still valid:

Payload with expiration:

{
  "sub": "user123",
  "exp": 1735689600,
  "iat": 1735603200
}

Tool shows:

• Expires: Dec 31, 2024 5:00:00 PM
• Badge: "Expired" or "Valid"

3. Inspect API Tokens

Decode tokens from API responses:

Example OAuth token:

{
  "iss": "https://auth.example.com",
  "sub": "[email protected]",
  "aud": "api.example.com",
  "exp": 1735689600,
  "iat": 1735603200,
  "scope": ["read", "write"]
}

4. Verify Token Claims

Check custom claims in your JWT:

Custom claims:

{
  "userId": "12345",
  "role": "admin",
  "permissions": ["read", "write", "delete"],
  "tenant": "company-a"
}

5. Learn JWT Structure

Understand how JWTs work:

Header tells the algorithm:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-id-1"
}

Payload contains data:

{
  "sub": "user",
  "name": "John",
  "admin": true
}

Signature verifies authenticity (not decoded)

Understanding JWT

What is JWT?

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties. It's commonly used for:

• Authentication - User login sessions
• Authorization - Access control and permissions
• Information exchange - Secure data transfer

JWT Structure

A JWT consists of three Base64-encoded parts separated by dots:

xxxxx.yyyyy.zzzzz

Format:

header.payload.signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

The header typically contains:

• alg: Signing algorithm (e.g., HS256, RS256)
• typ: Token type (usually "JWT")

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (Claims)

The payload contains claims about the user and metadata:

Standard claims:

• iss (issuer): Who issued the token
• sub (subject): Subject identifier (usually user ID)
• aud (audience): Intended recipient
• exp (expiration): When the token expires (Unix timestamp)
• iat (issued at): When the token was created
• nbf (not before): Token not valid before this time

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022,
  "exp": 1516242622
}

Custom claims: You can add any custom claims for your application:

{
  "userId": "user123",
  "role": "admin",
  "permissions": ["read", "write"]
}

Signature

The signature is created by:

1. Taking encoded header and payload
2. Signing with secret key or private key
3. Using algorithm specified in header

Purpose:

• Verify token hasn't been tampered with
• Verify sender is who they claim to be

Note: This tool does not verify signatures as it requires the secret key.

Common JWT Algorithms

Symmetric (HMAC)

HS256 - HMAC with SHA-256

• Uses same secret key for signing and verification
• Fast and simple
• Both parties must know the secret

HS384 - HMAC with SHA-384 HS512 - HMAC with SHA-512

Asymmetric (RSA)

RS256 - RSA with SHA-256

• Uses private key to sign, public key to verify
• More secure for public APIs
• Slower than HMAC

RS384 - RSA with SHA-384 RS512 - RSA with SHA-512

Asymmetric (ECDSA)

ES256 - ECDSA with SHA-256

• Uses elliptic curve cryptography
• Smaller keys, better performance than RSA
• Modern and secure

ES384 - ECDSA with SHA-384 ES512 - ECDSA with SHA-512

Token Validation

Expiration Check

Always check the exp claim:

{
  "exp": 1735689600
}

Convert to date:

new Date(exp * 1000) // Dec 31, 2024

If current time > expiration time, token is expired.

Not Before Check

Check the nbf claim:

{
  "nbf": 1735603200
}

Token is not valid before this time.

Issuer Verification

Verify the iss claim matches expected issuer:

{
  "iss": "https://auth.yourapp.com"
}

Audience Verification

Verify the aud claim matches your API:

{
  "aud": "https://api.yourapp.com"
}

Security Considerations

Never Trust Blindly

• Always verify signature on the server
• Check expiration before using token
• Validate issuer and audience claims
• Use HTTPS to transmit tokens

What This Tool Does NOT Do

• ❌ Verify signatures - Requires secret key
• ❌ Validate tokens - Only decodes content
• ❌ Store tokens - Everything stays in browser
• ❌ Send data to server - 100% client-side

Best Practices

1. Store tokens securely - Use httpOnly cookies
2. Use short expiration times - Reduce risk if token is stolen
3. Implement token refresh - Get new tokens without re-login
4. Use strong algorithms - RS256 or ES256 for production
5. Validate on server - Never trust client-side validation

Frequently Asked Questions

Q: Is it safe to paste my JWT token here?

A: Yes, this tool runs entirely in your browser. Your token never leaves your device or gets sent to any server.

Q: Why doesn't this tool verify signatures?

A: Signature verification requires the secret key or public key. For security, keys should never be entered in browser tools. Verify signatures on your server.

Q: What does "Expired" mean?

A: The token's expiration time (exp claim) is in the past. The token should not be accepted by servers.

Q: Can I decode tokens from any provider?

A: Yes, this tool decodes standard JWT tokens from any provider (Auth0, Firebase, custom, etc.).

Q: What if my token has only 2 parts?

A: That's not a valid JWT. JWTs must have exactly 3 parts: header, payload, and signature.

Q: Can I see what algorithm was used?

A: Yes, check the "alg" field in the Header tab.

Q: What does the signature look like decoded?

A: The signature is binary data and isn't meant to be decoded. It's kept in base64-encoded form.

Privacy & Security

Your privacy is important to us:

• No data is sent to any server
• All decoding happens in your browser
• No cookies or tracking
• No account or login required
• Completely free to use

Related Tools

• Hash Generator