JWT Decoder
EncodingDecode and inspect JSON Web Tokens (JWT). View the header, payload, and expiry information without verification.
All processing happens locally in your browser — your data never leaves your machine.
Loading tool...
Examples
Decode a HS256 JWT with user claims
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiZW1haWwiOiJqYW5lQGV4YW1wbGUuY29...Output
=== HEADER ===
{
"alg": "HS256",
"typ": "JWT"
}
=== PAYLOAD ===
{
"sub": "1234567890",
"name": "Jane Doe",
"e...Decode an RS256 JWT with API scopes
Input
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFwaS1rZXktMSJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJhcGk...Output
=== HEADER ===
{
"alg": "RS256",
"typ": "JWT",
"kid": "api-key-1"
}
=== PAYLOAD ===
{
"iss": "https://auth.exam...Decode a Bearer token with custom claims
Input
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzk4NyIsInRlbmFudCI6ImFjbWUtY29ycCIsInBsYW4iOiJlbnRlcnByaXNl...Output
=== HEADER ===
{
"alg": "HS256",
"typ": "JWT"
}
=== PAYLOAD ===
{
"sub": "user_987",
"tenant": "acme-corp",
"...Frequently Asked Questions
- What is a JSON Web Token (JWT)?
- A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: a header (algorithm and token type), a payload (claims such as user ID, roles, and expiration), and a signature. JWTs are widely used for authentication and authorization in web applications and APIs.
- Is it safe to paste my JWT here?
- Yes. This tool runs entirely in your browser. Your token is never sent to any server, stored, or logged. All decoding happens locally using JavaScript, so your sensitive token data remains private.
- Does this tool verify the JWT signature?
- No. This tool only decodes and displays the header and payload of a JWT. It does not verify the cryptographic signature. To verify a signature you need the signing key or public key, which is typically done server-side. This tool is designed for quick inspection and debugging of token contents.
- What are common JWT claims like exp, iat, and nbf?
- The 'exp' (expiration time) claim specifies when the token expires. The 'iat' (issued at) claim indicates when the token was created. The 'nbf' (not before) claim defines the earliest time the token should be accepted. All three are expressed as Unix timestamps (seconds since January 1, 1970 UTC). This decoder automatically converts them to human-readable dates.