Language
English English Vietnamese (Tiếng Việt) Vietnamese (Tiếng Việt) Chinese (简体中文) Chinese (简体中文) Portuguese (Brazil) (Português do Brasil) Portuguese (Brazil) (Português do Brasil) Spanish (Español) Spanish (Español) Indonesian (Bahasa Indonesia) Indonesian (Bahasa Indonesia)
JWT Decoder

JWT Decoder

Decode and inspect JSON Web Tokens instantly. View the header, payload, and signature with claim explanations and expiration status, all in your browser.

JWT Decoder — Read Any Token Instantly

This JWT decoder lets you paste any JSON Web Token and instantly read its header, payload, and signature in your browser. It is built for developers debugging authentication, API authorization, or single sign-on flows who need to see exactly what a token contains.

A JWT has three dot-separated parts: the Header (token type and signing algorithm), the Payload (the claims — user ID, email, roles, expiry, and more), and the Signature (used to verify the token was not tampered with). The decoder splits and formats all three the moment you type, with claim explanations and human-readable timestamps to save you the lookups.

Private by design: decoding happens entirely in your browser using built-in Base64URL parsing. Your token is never uploaded, stored, or logged — open the network tab and you will see no requests when you paste.

How to Decode a JWT

1

Paste your token

Drop your JWT into the Encoded Token field. It decodes automatically as you type — no button to press. Click Sample to load a demo token if you just want to see how it works.

2

Read the decoded parts

The Header and Payload appear as formatted JSON with syntax highlighting, each in its own color-coded panel. The Signature is shown as its raw Base64URL string.

3

Check the status

The status bar shows the signing algorithm and token type, plus whether the token is Valid, Expired, Not Yet Valid, or has No Expiry, with a relative time such as "Expires in 2 hours".

4

Explore and copy

Hover any recognized claim name — like iss, sub, or exp — to see what it means. Use the copy buttons to grab the header, payload, or signature on its own.

Features

Real-Time Decoding

The token is parsed instantly as you paste or type — results update live with no button to press.

Color-Coded Panels

Header, Payload, and Signature each get their own distinctly colored panel, so the three parts are easy to tell apart at a glance.

JSON Syntax Highlighting

Keys, strings, numbers, booleans, and nulls are color-highlighted in the decoded header and payload for easy reading.

Claims Explained on Hover

Standard claims from the JWT spec, OpenID Connect, and OAuth 2.0 — such as iss, sub, aud, exp, iat, nbf, and jti — show a short description on hover.

Readable Timestamps

Unix timestamps like exp, iat, and nbf are annotated inline with a human-readable date, so you never convert them by hand.

Expiration Status

A clear badge marks the token as Valid, Expired, Not Yet Valid, or No Expiry, with a relative time countdown.

Algorithm & Type Display

The signing algorithm (HS256, RS256, ES256, and more) and the token type are read straight from the header and shown in the status bar.

One-Click Copy

Copy the decoded header, payload, or the signature on its own with a single click.

Sample Token

Load a ready-made demo token to see the decoder in action before pasting your own.

Fully Client-Side

Every token is decoded locally in your browser — nothing is sent to a server, saved, or tracked.

Frequently Asked Questions

Is it safe to decode a JWT online here?

Yes. This decoder runs entirely in your browser — your token is never sent to any server, stored, or logged. You can confirm it by opening your browser's network tab: no requests are made when you paste a token.

Does decoding a JWT verify the signature?

No. This is a decoder, not a verifier. It reads and displays the token's contents but does not check the cryptographic signature. To verify a signature you need the signing secret (for HMAC) or the public key (for RSA/ECDSA).

Can I decode a JWT without the secret key?

Yes. Decoding only reads the header and payload, which are plain Base64URL — no key is required. A secret or public key is only needed to verify a token, not to read what is inside it.

Is the JWT payload encrypted, or just Base64?

A standard signed JWT is not encrypted — the header and payload are simply Base64URL-encoded, so anyone can read them. The signature only proves the token has not been altered. Never put secrets in a JWT payload unless you are using encrypted JWE tokens.

What are the three parts of a JWT?

A JWT is three Base64URL strings joined by dots: the Header (token type and signing algorithm), the Payload (the claims about the user and token), and the Signature (a hash used to detect tampering). The decoder shows each part in its own panel.

How do I read the expiry (exp) claim?

The exp claim is a Unix timestamp. The decoder annotates it inline with a readable date and shows an Expired, Valid, or Not Yet Valid badge with a relative time, so you can tell a token's status at a glance without converting the number yourself.

Which signing algorithms are supported?

Decoding works with any JWT regardless of algorithm — HS256/384/512, RS256/384/512, ES256/384/512, PS256, and others. The algorithm is read from the header and shown in the status bar after the token is decoded.

Processed locally
HEADER
PAYLOAD
SIGNATURE
Paste your JWT token and it is decoded instantly
Hover over claim names to see what they mean
Timestamps like exp and iat are converted to readable dates automatically
Click Sample to load a demo token
Your token is decoded entirely in your browser — nothing is sent to any server
Want to learn more? Read documentation →
1/6
Start typing to search...
Searching...
No results found
Try searching with different keywords