Developer Tools Runs in browser Updated 01 Apr 2026

JWT Decoder

Decode and inspect JWT tokens — view header, payload, claims, and expiry status without sending data to any server.

JWT Token

Paste a JWT above to decode it

Loading rating…

How to use JWT Decoder

Copy your JWT token

Get your JWT from your application's auth state, browser DevTools (Application tab → Cookies or Local Storage), an API client like Postman, or a cURL response.
Paste the token

Paste the full JWT string (three Base64url-encoded segments separated by dots) into the input box.
Inspect the decoded sections

View the decoded header (signing algorithm and type), the payload (all claims as formatted JSON), and the raw signature bytes.
Check timestamps and expiry

The exp and iat timestamps are shown as human-readable dates. The expiry indicator tells you immediately if the token is valid, expired, or has no expiry claim.
Copy sections for debugging

Use the Copy button next to each section to copy the decoded JSON to your clipboard for pasting into logs, bug reports, or other tools.

JWT Decoder FAQ

Is it safe to paste my JWT here?

All decoding is done entirely in your browser using JavaScript. Your token is never sent to any server or stored anywhere. However, treat production JWTs with the same care as passwords — decode them in a private tab and avoid sharing screenshots containing live tokens.

What is in a JWT?

A JWT has three Base64url-encoded sections separated by dots. The header contains the signing algorithm (e.g. RS256) and token type. The payload contains claims — key-value pairs like sub (user ID), exp (expiry), roles, and any custom data your auth provider adds. The signature verifies integrity but cannot be decoded as readable text.

Why does my token show as expired?

The exp claim is a Unix timestamp in seconds. If that time is in the past, the token is expired and most servers will return 401. You need to refresh the token or re-authenticate to get a fresh one.

Can this tool verify a JWT signature?

No. Verifying a JWT signature requires the signing secret or public key. That information should never be entered into a browser tool. This tool is for inspection and debugging only — use your server-side JWT library for verification.

What JWT algorithms does this support for decoding?

Any algorithm — HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS512, and EdDSA. The header algorithm field is decoded and displayed, but no cryptographic verification is performed.

Does this work with Auth0, Firebase, Cognito, and Supabase tokens?

Yes. All of these services issue standard JWTs that follow the same RFC 7519 format. Paste the access token or ID token from any of them to inspect the claims.

What is the difference between an access token and an ID token?

An access token authorises API calls and typically contains scopes and roles. An ID token (OpenID Connect) contains user identity claims like name, email, and profile picture. Both are JWTs but serve different purposes — do not use ID tokens for API authorisation.

Can I decode a JWT without the signature?

Yes. If you only have the header and payload (the first two segments), you can paste them with a trailing dot and the decoder will still parse the header and payload. The signature is not needed for decoding — only for verification.

Why is there no verification feature?

JWT verification requires sharing your signing secret or private key with the tool, which creates a security risk. Never enter production secrets into a browser-based tool. Use your backend JWT library (jsonwebtoken, python-jose, golang-jwt) for verified token inspection.

Background

JWT Decoder is the fastest way to inspect a JSON Web Token without writing code. Paste a token from your application, browser DevTools, API client, or cURL response and the tool immediately decodes and formats all three sections.

The header section shows the signing algorithm (HS256, RS256, ES256, etc.) and token type. The payload section displays every claim in formatted JSON: standard registered claims (iss, sub, aud, exp, nbf, iat, jti) alongside any custom claims your auth provider adds — roles, permissions, tenant IDs, email addresses, and more. Timestamps in exp and iat are converted to human-readable dates alongside the raw Unix values.

The expiry status indicator compares the exp claim against the current time and clearly marks the token as valid, expired, or missing an expiry claim. Useful for debugging why an API call returns 401 when you expect the session to still be active.

This tool decodes only — it cannot verify the JWT signature because verification requires the secret key or public key, which should never be pasted into a browser tool. Use it for inspection and debugging, not for security validation. All decoding runs client-side; your tokens never leave your browser.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly in your browser.

JSON Formatter

Format, validate, and minify JSON instantly — with configurable indentation, error location, and tree view.

Base64 Decoder

Decode Base64 or Base64URL strings to plain text or download as a binary file. Handles MIME line-wrapping and PEM certificates automatically.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

Learn more

developer

API Authentication Methods Compared: OAuth, JWT, API Keys

Compare API authentication methods with real HTTP examples. OAuth 2.0, JWT, API keys, and session tokens explained. 78% of breaches involve weak auth.