JWT Decoder — Read Any Token Instantly
This JWT decoder lets you paste any JSON Web Token and instantly read its header, payload, and signature in your browser. It is built for developers debugging authentication, API authorization, or single sign-on flows who need to see exactly what a token contains.
A JWT has three dot-separated parts: the Header (token type and signing algorithm), the Payload (the claims — user ID, email, roles, expiry, and more), and the Signature (used to verify the token was not tampered with). The decoder splits and formats all three the moment you type, with claim explanations and human-readable timestamps to save you the lookups.
How to Decode a JWT
Paste your token
Drop your JWT into the Encoded Token field. It decodes automatically as you type — no button to press. Click Sample to load a demo token if you just want to see how it works.
Read the decoded parts
The Header and Payload appear as formatted JSON with syntax highlighting, each in its own color-coded panel. The Signature is shown as its raw Base64URL string.
Check the status
The status bar shows the signing algorithm and token type, plus whether the token is Valid, Expired, Not Yet Valid, or has No Expiry, with a relative time such as "Expires in 2 hours".
Explore and copy
Hover any recognized claim name — like iss, sub, or exp — to see what it means. Use the copy buttons to grab the header, payload, or signature on its own.
Features
Real-Time Decoding
The token is parsed instantly as you paste or type — results update live with no button to press.
Color-Coded Panels
Header, Payload, and Signature each get their own distinctly colored panel, so the three parts are easy to tell apart at a glance.
JSON Syntax Highlighting
Keys, strings, numbers, booleans, and nulls are color-highlighted in the decoded header and payload for easy reading.
Claims Explained on Hover
Standard claims from the JWT spec, OpenID Connect, and OAuth 2.0 — such as iss, sub, aud, exp, iat, nbf, and jti — show a short description on hover.
Readable Timestamps
Unix timestamps like exp, iat, and nbf are annotated inline with a human-readable date, so you never convert them by hand.
Expiration Status
A clear badge marks the token as Valid, Expired, Not Yet Valid, or No Expiry, with a relative time countdown.
Algorithm & Type Display
The signing algorithm (HS256, RS256, ES256, and more) and the token type are read straight from the header and shown in the status bar.
One-Click Copy
Copy the decoded header, payload, or the signature on its own with a single click.
Sample Token
Load a ready-made demo token to see the decoder in action before pasting your own.
Fully Client-Side
Every token is decoded locally in your browser — nothing is sent to a server, saved, or tracked.
Frequently Asked Questions
Is it safe to decode a JWT online here?
Yes. This decoder runs entirely in your browser — your token is never sent to any server, stored, or logged. You can confirm it by opening your browser's network tab: no requests are made when you paste a token.
Does decoding a JWT verify the signature?
No. This is a decoder, not a verifier. It reads and displays the token's contents but does not check the cryptographic signature. To verify a signature you need the signing secret (for HMAC) or the public key (for RSA/ECDSA).
Can I decode a JWT without the secret key?
Yes. Decoding only reads the header and payload, which are plain Base64URL — no key is required. A secret or public key is only needed to verify a token, not to read what is inside it.
Is the JWT payload encrypted, or just Base64?
A standard signed JWT is not encrypted — the header and payload are simply Base64URL-encoded, so anyone can read them. The signature only proves the token has not been altered. Never put secrets in a JWT payload unless you are using encrypted JWE tokens.
What are the three parts of a JWT?
A JWT is three Base64URL strings joined by dots: the Header (token type and signing algorithm), the Payload (the claims about the user and token), and the Signature (a hash used to detect tampering). The decoder shows each part in its own panel.
How do I read the expiry (exp) claim?
The exp claim is a Unix timestamp. The decoder annotates it inline with a readable date and shows an Expired, Valid, or Not Yet Valid badge with a relative time, so you can tell a token's status at a glance without converting the number yourself.
Which signing algorithms are supported?
Decoding works with any JWT regardless of algorithm — HS256/384/512, RS256/384/512, ES256/384/512, PS256, and others. The algorithm is read from the header and shown in the status bar after the token is decoded.
No comments yet. Be the first to comment!