JWT Decoder
SecurityDecode and inspect JSON Web Tokens — view header, payload, and claims instantly.
Discussion
Join the discussion
Sign in to share your thoughts and engage with the community.
About this tool
What is the JWT Decoder?
A JSON Web Token (JWT) is a compact, self-contained token used to transmit information between parties — most commonly to authenticate users and authorize API requests. JWTs are Base64URL-encoded and consist of three dot-separated sections: a header, a payload, and a signature.
The JWT Decoder decodes any JWT token and presents its contents in a readable format, so you can inspect the header algorithm, read all payload claims, check expiry timestamps, and understand exactly what the token contains — without needing to write any code.
How to Use the JWT Decoder
- Paste your JWT into the input field. A valid JWT looks like three Base64URL strings separated by dots:
xxxxx.yyyyy.zzzzz - View the decoded output. The tool immediately decodes and displays:
- Header — the algorithm used to sign the token and the token type
- Payload — all claims contained in the token, shown as formatted JSON
- Signature — the raw signature string used to verify the token's integrity
- Check timestamps. Unix timestamps in the payload (
iat,exp,nbf) are converted to human-readable dates so you can see exactly when the token was issued and when it expires.
JWT Structure Explained
Header — a JSON object identifying the signing algorithm and token type:
{ "alg": "HS256", "typ": "JWT" }
Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA).
Payload — a JSON object containing claims. Standard claims include:
| Claim | Name | Description |
|-------|---------------------------------------------------------------|
| sub | Subject | The user or entity the token represents |
| iss | Issuer | Who created and signed the token |
| aud | Audience | Who the token is intended for |
| iat | Issued At | Unix timestamp of when the token was created |
| exp | Expiry | Unix timestamp after which the token is invalid |
| nbf | Not Before | Unix timestamp before which the token is invalid |
Applications can add any additional custom claims alongside these standard ones.
Signature — a cryptographic signature computed from the encoded header and payload using the algorithm and secret key specified in the header. It cannot be forged without the secret key, and any tampering with the header or payload invalidates it.
What This Tool Does and Doesn't Do
The decoder reads the header and payload — this requires no secret key, because the content is Base64URL-encoded, not encrypted. Any JWT can be decoded by anyone who has it.
The decoder does not verify the signature without the secret or public key. Signature verification confirms the token was issued by a trusted source and hasn't been tampered with — that requires the key used to sign it.
For debugging purposes (checking claims, timestamps, algorithm), decoding is sufficient. For security validation in production, always verify the signature server-side using a JWT library.
Common Uses
Debugging authentication flows — decode a token your app received to confirm it contains the expected claims, user ID, roles, and expiry before your auth logic processes it.
Checking token expiry — paste a token to instantly see its exp timestamp in readable form rather than converting a Unix timestamp manually.
Learning JWT structure — understand how JWTs encode data and how different auth providers (Auth0, Firebase, Supabase, Clerk) structure their tokens.
API integration testing — inspect tokens issued during an OAuth flow or login request to verify the claims your API should receive.
Privacy
All decoding happens in your browser. Never paste production tokens containing sensitive user data into any online tool — decode only development and test tokens here.