JSON Web Tokens are compact, URL-safe credentials — three base64url-encoded segments (header, payload, signature) joined by dots, signed by an issuer. This decoder splits them, base64url-decodes the first two, and renders the JSON. It does not verify the signature: that requires the issuer's secret or public key and is the server's job, not the browser's.
JWT decoder
JSON Web Tokens carry claims a server vouches for. Decoding a JWT reveals what those claims say — but never whether they are valid.
JWT decoder
Inspect the header and payload of a JSON Web Token in your browser.
JWT
Header
{
"alg": "HS256",
"typ": "JWT"
}Payload
{
"sub": "user_887",
"name": "Maciej Z.",
"iat": 1715237400,
"exp": 1715241000
}Issued at
2024-05-09 06:50:00 UTC
Expired
2024-05-09 07:50:00 UTC
This tool does not verify signatures or check expiry against your server. Treat decoded claims as untrusted until your backend validates the token.
Common use cases
Debugging auth failures
When 401 Unauthorized lands in your error log, the fastest diagnostic is to paste the offending token and read what the issuer actually wrote.
Inspecting expiry
We render iat, exp, and nbf in UTC and compare against current time — you see at a glance whether the token has expired.
Reading custom claims
Anything beyond the standard set (iss, sub, aud, iat, exp, nbf, jti) is issuer-specific — roles, user IDs, plan tiers, scopes.
How to use this tool
- 1 Paste the full token (header.payload.signature) into the input.
- 2 Read the parsed header — alg (HS256, RS256, EdDSA…) and typ (always "JWT").
- 3 Read the payload — the actual claims the issuer signed.
- 4 Check expiry in the stat strip below.
Frequently asked questions
Can I verify the signature here?
No. Verification requires the algorithm-specific key — HMAC secret for HSxxx, public key for RSxxx / ESxxx / EdDSA — plus a library that knows the algorithm. Always verify server-side, never in the browser.
Is it safe to paste production JWTs?
The token never leaves your browser tab and we don’t log it. That said, JWTs frequently carry personally identifiable claims — treat your clipboard history accordingly.
What’s the difference between JWT and a session cookie?
Session cookies are opaque references that the server resolves against a session store per request. JWTs are self-contained — the server validates them without a database round-trip. Tradeoff: you can revoke a session row; you cannot un-issue a JWT before its exp.