JWT Decoder

Decode, inspect, and verify JSON Web Tokens (JWT) instantly — entirely in your browser. Paste any token (HS256, HS384, HS512, RS256, RS384, ES256, EdDSA, none) and see the Header, Payload, and Signature broken down with pretty-printed JSON, automatic algorithm detection, expiration countdown, and validation of all standard claims (exp, nbf, iat, sub, iss, aud). Verify HMAC signatures with your secret key directly in-browser. Your tokens never touch our servers — making this the safest JWT debugger for production secrets.

Paste a JWT (with or without "Bearer " prefix) — decoding happens instantly
Token Stays Local Never leaves your browser
Zero Network Calls No server, no logging
Production Safe Safe with real tokens
Always Free No signup, no limit

Paste a JWT to decode it

Header, Payload, and Signature appear here automatically with full validation

Try a sample:

Supported Algorithms

  • HS
    HS256 / HS384 / HS512 HMAC with SHA-2 · Verify with secret
  • RS
    RS256 / RS384 / RS512 RSA · Verify with PEM public key
  • ES
    ES256 / ES384 ECDSA · Verify with PEM public key
  • Ed
    EdDSA (Ed25519) Verify with PEM public key

Recent Tokens

No recent tokens yet

Security Tips

  • JWTs are encoded, not encrypted. Anyone with the token can read the payload.
  • Never put passwords or PII in a JWT payload.
  • Always validate the alg claim server-side — reject none and unexpected algorithms.
  • Set short exp values for access tokens (5–15 min).

What This Tool Does

Instant Decode Header, Payload, Signature
Algorithm Detection HS256, RS256, ES256, EdDSA
Signature Verify HMAC + RSA + ECDSA
Expiry Check exp · nbf · iat countdown
Privacy First 100% browser, zero network

Keyboard Shortcuts

Ctrl+V Paste token
Esc Clear input
S Load sample
C Copy payload

Decode Any JWT Token Instantly — Privately

Whether you are a backend engineer debugging an authentication failure, a frontend developer inspecting an access token, a security researcher auditing OAuth flows, a DevOps engineer chasing down a 401 in production, or a student learning about JSON Web Tokens — this free JWT decoder gives you instant visibility into the structure and claims of any JWT, without uploading a single byte to any server.

Paste any JSON Web Token (with or without the Bearer prefix from an HTTP header) into the input area above. The tool automatically splits the token at the dot separators, Base64-URL-decodes each section, parses the JSON inside, and displays the decoded Header, Payload, and Signature in three color-coded panels — the same convention popularized by jwt.io. Standard claims (exp, nbf, iat, iss, aud, sub) are extracted into a friendly grid with human-readable timestamps and a live expiration countdown.

How to Use the JWT Decoder

01

Copy Your JWT Token

Grab the JWT from wherever you have it — an HTTP Authorization: Bearer … header, a cookie, a URL fragment, your application logs, or your OAuth playground response. A JWT is always three Base64-URL strings joined by dots: xxxxx.yyyyy.zzzzz.

02

Paste It Here

Paste into the input field. The tool strips any Bearer prefix automatically and starts decoding instantly — no submit button required. If the input does not look like a JWT, you will see a clear error explaining why.

03

Inspect the Decoded Sections

The Header (red) shows the signing algorithm and token type. The Payload (purple) shows all claims with the standard ones highlighted. The Signature (cyan) shows the raw signature bytes plus a verification panel matched to the detected algorithm.

04

Verify the Signature (Optional)

For HS256/384/512 tokens, paste your secret. For RS256/ES256/EdDSA tokens, paste a PEM-encoded public key. The tool computes the signature using the Web Crypto API and shows whether it matches the token — all locally in your browser.

Advertisement
Ad

Key Features

Pretty-Printed JSON

The decoded Header and Payload are formatted with proper indentation and syntax highlighting — quoted keys, colored strings, numbers, booleans, and nulls all distinct.

All Major Algorithms

Decodes any JWT (HS256/384/512, RS256/384/512, ES256/384, EdDSA, none, PS256). Verifies signatures using the browser's built-in Web Crypto API — no external libraries needed.

Live Expiry Countdown

Automatically converts exp, nbf, iat Unix timestamps to readable dates. Shows time-until-expiry as a live countdown and flags expired or future tokens.

Signature Verification

Verify HMAC signatures with your secret, or RSA/ECDSA/EdDSA signatures with a PEM public key. Results show as a clear pass/fail badge with the verification algorithm used.

Zero Network

Decoding, validation, and verification all happen in your browser. Open DevTools Network tab and you will see zero requests carrying your token — making this safe for production secrets.

Local Token History

Recently decoded tokens are saved in your browser only — no server sync, no leakage. Quickly re-inspect a token from earlier in your debugging session with one click.

Why Decode and Inspect JWT Tokens?

JWTs are the single most common authentication mechanism in modern web and mobile applications — used by Google, Microsoft, Amazon, Facebook, Auth0, Firebase, Okta, AWS Cognito, Keycloak, and almost every OAuth 2.0 / OpenID Connect identity provider. When something goes wrong in an authentication flow, the first thing every developer needs to do is decode the JWT and inspect the claims inside. Yet most online JWT decoders are server-side, which means pasting a production token into them effectively leaks it. This online JWT decoder fixes that with a pure-client design.

Backend engineers use a JWT debugger to chase down 401 Unauthorized errors, verify the right scopes are being issued, and confirm that custom claims like roles, tenant IDs, or feature flags reach the API correctly. Frontend developers use a JWT token decoder to inspect tokens returned from login endpoints, debug refresh-token rotation, and validate the user object structure their UI depends on. Security engineers use a JWT verifier to audit implementations for known vulnerabilities — the classic alg: none bypass, algorithm-confusion attacks, weak HMAC secrets, missing audience validation, and accepted-unsigned token issues. Students learning OAuth or OpenID Connect use a free JWT decoder online to understand how the spec works in practice by decoding real tokens issued by their identity provider.

Whatever your reason — this online JWT parser removes all friction: paste, see decoded, verify. No browser extension, no third-party desktop tool, no API quota, no upload of your token anywhere. Decoding, claim parsing, expiry checking, and signature verification all happen in the JavaScript engine of your browser using the built-in Web Crypto API.

Understanding JWT Encoding: How JSON Web Tokens Are Structured

A JSON Web Token (JWT) follows a precise, compact format defined in RFC 7519. Every JWT consists of three sections separated by single dots: header.payload.signature. Each section is independently Base64-URL encoded — a variation of Base64 that uses - and _ instead of + and / so the token stays safe inside URLs, HTTP headers, and cookies without further percent-encoding. Base64-URL also strips trailing = padding to shorten the token.

The header and payload are Base64-URL-encoded JSON objects. This means anyone with the token can decode the first two parts and read every claim inside — there's no encryption involved. This is critical to remember: a JWT is signed, not encrypted. Never put passwords, API secrets, or sensitive personal data in a JWT payload. If you need actual encryption, look at JSON Web Encryption (JWE) instead. The signature is computed over the string base64url(header) + "." + base64url(payload) using the algorithm declared in the header's alg field, and is itself Base64-URL-encoded.

Older or non-standard JWTs may omit the standard optional fields entirely, use unusual algorithms, or contain payloads that aren't valid JSON. This JWT decoder handles all of these edge cases — it gracefully shows missing claims, flags non-standard structures, and correctly handles unicode characters in claim values using the browser's TextDecoder API. The full RFC 7519 standard claim set (iss, sub, aud, exp, nbf, iat, jti) is extracted into a friendly grid alongside any custom claims your identity provider added.

Is This JWT Decoder Safe and Legal to Use?

100% Legal

Yes — using a JWT decoder is completely legal. JWT is an open standard (RFC 7519) published by the IETF and freely available to everyone. Decoding a JWT is no different than parsing JSON — there is no copyright, no proprietary format, no licensed algorithm. The tool reads Base64-URL-encoded strings and parses standard JSON. You can decode your own tokens, sample tokens from documentation, or any token you legitimately have access to.

The only caveat: do not decode tokens that do not belong to you or that you obtained without authorization. Inspecting a stolen JWT to extract user information could violate computer-fraud laws (CFAA in the US, similar statutes elsewhere). The tool itself is fully legal — your use of it should be too.

Production Safe

Yes — this tool is safe even with real production tokens. Every operation runs entirely in your browser using built-in JavaScript and the Web Crypto API. Your token is never uploaded, never logged, never proxied. Open your browser DevTools, switch to the Network tab, paste a JWT, and confirm: zero outbound requests carry your token.

  • No tokens or secrets sent to our servers
  • No third-party JavaScript decoders or external APIs
  • HMAC verification uses native Web Crypto — never libraries that phone home
  • Recent-token history stays in localStorage only — not synced
  • Served over HTTPS with strict security headers
  • Works fully offline once the page is loaded
Privacy reassurance: Many developers worry about pasting production tokens into online tools — and rightly so. This JWT decoder was built specifically to address that concern. Unlike server-side JWT decoders that receive your token on a backend, this is a pure-client implementation. Your token never crosses the network boundary. You can verify this yourself with browser DevTools or by viewing the page source. We are not affiliated with Auth0, Okta, AWS Cognito, Firebase Auth, or any specific identity provider — this tool works with JWTs from any system that follows RFC 7519.

Who Uses an Online JWT Decoder?

A free JWT decoder online is essential for anyone working with authentication, authorization, single sign-on (SSO), OAuth 2.0, OpenID Connect, or API security. Whether you're searching for a JWT debugger, a bearer token decoder, a JSON Web Token parser, or a JWT validator, these are the workflows it powers:

Backend & API Engineers

Debug 401 Unauthorized errors, inspect claims your auth middleware is checking, verify signing keys match, troubleshoot expired tokens, and validate that custom claims are being issued correctly by your identity provider.

Frontend Developers

Inspect tokens received from your login flow, verify the user roles or permissions inside the payload, debug refresh-token rotation, and confirm what data the server is exposing through the JWT.

Security Engineers & Pentesters

Audit JWT implementations for the classic vulnerabilities — alg-confusion attacks, weak HMAC secrets, missing signature validation, accepted "none" algorithm. Use it during authorized penetration tests or bug-bounty assessments.

DevOps & SRE

Trace authentication failures through service-mesh logs, validate tokens passed between microservices, check expiration in long-running batch jobs, and verify that your identity provider is configured correctly.

Students & Learners

Learn how JWTs are structured by decoding real examples. See exactly which claims OAuth providers like Google, GitHub, and Auth0 include. Understand what "Base64-URL encoded" means in practice.

QA & Test Engineers

Verify that test tokens have the right roles and scopes for your test cases. Inspect tokens generated by your CI pipeline. Confirm expected expiry values and audience restrictions in automated tests.

Understanding JWT Structure: The 3 Parts Explained

Every JSON Web Token follows the same structure: three Base64-URL-encoded segments separated by dots. The standard format is header.payload.signature. Each section serves a distinct purpose. Here's exactly what each one contains and how to read it.

Section Encoding Contents Typical Claims / Fields
Header Base64-URL → JSON Token type and signing algorithm alg, typ, kid, cty
Payload Base64-URL → JSON Claims about the subject & the token sub, iss, aud, exp, nbf, iat, jti + custom
Signature Base64-URL → Bytes Cryptographic proof of authenticity HMAC or RSA/ECDSA/EdDSA signature

Standard payload claims (RFC 7519): iss (issuer), sub (subject — usually the user ID), aud (audience — who the token is intended for), exp (expiration time as Unix timestamp), nbf (not-before time), iat (issued-at time), jti (unique JWT ID for revocation tracking). Custom claims like email, roles, permissions, or vendor-specific fields like cognito:username appear alongside the standard claims.

Why This Is the Best Free JWT Decoder Online

Search for "JWT decoder online" and you'll find dozens of options. Most have one or more deal-breakers — sending your token to a server, requiring signup for HMAC verification, missing modern algorithms like EdDSA, lacking proper expiry/claim breakdowns, or burying the actual decoder under ads. We built this JWT decoder with developers' privacy and workflow speed as the priority.

What We Do

  • 100% browser-based — token never leaves your device
  • All standard algorithms: HS256/384/512, RS256/384/512, ES256/384, EdDSA
  • Web Crypto API for signature verification (native, no third-party crypto)
  • Auto-strips Bearer prefix and whitespace
  • Live expiration countdown with human-readable claim parsing
  • Color-coded panels matching the jwt.io convention
  • Works fully offline after page load
  • Recent token history in localStorage only
  • Production-token safe — verifiable in DevTools Network tab
  • No signup, no API key, no daily limit

What Other Sites Do

  • Send your JWT to their server for "processing"
  • Skip signature verification, or paywall it behind signup
  • Don't support modern algorithms like EdDSA or ES256
  • Force you to manually strip the Bearer prefix
  • Show raw Unix timestamps instead of readable dates
  • Burry decoded output behind 5 ads and a paywall
  • Require an internet connection for every decode
  • Track every token you paste with analytics
  • No history feature, or worse — server-side history
  • Hard rate limits or "premium" tiers for serious use

How to Decode a JWT Token on Any Device

This JWT decoder works identically on every modern device. Whether you want to decode a JWT on Windows, parse a bearer token on Mac, debug a JWT on Linux, or inspect a token on iPhone or Android — the workflow is the same.

How to Decode a JWT on Desktop (Windows · Mac · Linux)

  1. Copy the JWT from your auth flow, HTTP header, or logs.
  2. Press Ctrl+V anywhere on this page (or click Paste).
  3. Header, Payload, and Signature appear instantly with full validation.
  4. For HS256: paste your secret in the verification box to confirm signature.

How to Decode a JWT on Mobile (Android & iPhone)

  1. Copy the JWT from wherever you have it (Postman mobile, Slack, email, your app).
  2. Open this page and tap the Paste button — clipboard reads instantly.
  3. Scroll the three decoded sections; they're fully readable on mobile.
  4. Tap Copy on any section to grab the decoded JSON.

How to Decode a Bearer Token from an HTTP Header

  1. Copy the full Authorization: Bearer eyJhbGciOi... header value.
  2. Paste the entire string — the tool auto-strips Bearer .
  3. Inspect claims, scopes, and expiration time.
  4. Optionally paste your verifying key to confirm the signature.

JWT Security Best Practices

Understanding JWT security goes beyond just decoding. Here are the patterns that keep production systems secure when working with JSON Web Tokens:

  • Never put secrets in the payload. JWTs are encoded, not encrypted. Anyone with the token can read every claim. Treat the payload as public.
  • Reject the none algorithm. Always validate the alg claim server-side and reject tokens with no signature. This was the classic JWT vulnerability in 2015–2017 — make sure your library is patched.
  • Lock down the signing algorithm. Don't let attackers downgrade RS256 → HS256 by passing your public key as the HMAC secret. Hardcode the expected algorithm in your verifier.
  • Use short expiration times. Access tokens: 5–15 minutes. Refresh tokens: 1–7 days with rotation. Long-lived JWTs are hard to revoke.
  • Validate aud and iss. A token from your auth server intended for Service A should not be valid at Service B. Check both claims.
  • Use RS256 or ES256 for distributed systems. Asymmetric signing lets verifiers hold only the public key — easier key rotation and lower blast radius if a verifier is compromised.
  • Rotate signing keys. Use the kid (key ID) header claim to identify which key signed the token, enabling smooth key rotation.
  • Set HMAC secrets to 256+ bits. Use a CSPRNG-generated random secret for HS256, never a human-chosen password.
Advertisement
Ad

Frequently Asked Questions

How do I decode a JWT token?
Paste your JWT token into the input field at the top of this page. The tool auto-detects the three parts (header, payload, signature), Base64-URL-decodes them, parses the JSON inside, and shows everything pretty-printed in three color-coded panels — exactly like jwt.io. No submit button needed, and decoding happens instantly as you paste.

What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three Base64-URL-encoded parts separated by dots: header.payload.signature. The header specifies the signing algorithm (like HS256 or RS256). The payload contains claims — statements about the user (subject, expiration, issuer, etc.). The signature lets the recipient verify the token was issued by a trusted party and has not been tampered with. JWTs are standardized in RFC 7519 and are widely used for authentication, single sign-on (SSO), and API authorization.

Is this JWT decoder safe to use with production tokens?
Yes — this tool is built specifically with production safety in mind. All decoding and signature verification happens entirely in your browser using the Web Crypto API and JavaScript. Your token is never uploaded, never logged, never sent to any server. It does not touch our database, analytics, or any third party. This makes it safe to decode tokens that contain real user IDs, production claims, or sensitive metadata. Open your browser DevTools Network tab while using the tool and you will see zero outbound requests carrying your JWT.

Can this tool verify a JWT signature?
Yes for HMAC-signed tokens (HS256, HS384, HS512). Paste your secret into the "Verify Signature" field below the input and the tool computes the HMAC using the Web Crypto API and compares it to the token signature. For RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384) tokens, you can paste a PEM-encoded public key to verify. EdDSA verification is supported in modern browsers via Web Crypto. The "alg: none" case is also detected and clearly flagged as insecure.

What algorithms are supported?
Decoding works for any token regardless of algorithm — that just reads the Base64 sections. Signature verification supports: HS256, HS384, HS512 (HMAC with SHA-2), RS256, RS384, RS512 (RSA with SHA-2), ES256, ES384 (ECDSA on P-256, P-384), and EdDSA (Ed25519, in browsers that support it via WebCrypto). Tokens using "alg: none" are decoded but flagged as having no signature.

How do I check when a JWT expires?
The tool automatically reads the standard "exp" (expiration), "nbf" (not before), and "iat" (issued at) claims from the payload and converts the Unix timestamps to human-readable dates. A countdown timer shows exactly how long until expiry. Expired tokens are flagged in red, valid ones in green, and tokens not yet valid (future "nbf") are flagged in orange. You also see issuer ("iss"), audience ("aud"), subject ("sub"), and any custom claims.

Why does my JWT show "Invalid token format"?
A valid JWT must have exactly three parts separated by dots: header.payload.signature. The most common causes of the error: extra "Bearer" prefix copied from an HTTP header (we strip it automatically, but check anyway), missing or extra whitespace, trailing equals signs from regular Base64 (JWTs use Base64-URL which has no padding), or a truncated token. Make sure you copied the entire token — they can be quite long for RSA-signed tokens.

What is the difference between encoding and signing?
Encoding (Base64-URL) just turns binary or text into a URL-safe string and is fully reversible — anyone can decode and read a JWT payload. Signing creates a cryptographic signature using a secret key or private key that only the issuer knows. The signature lets the recipient verify the token was issued by a trusted party and has not been modified. Critically: JWTs are NOT encrypted by default — never put passwords or sensitive secrets in a JWT payload because anyone with the token can read it.

Can I decode an expired JWT?
Yes. Decoding never fails because of expiration — the tool just reads the Base64 contents. The expiration check is a separate validation step that runs after decoding and shows an "Expired" badge with the exact time elapsed since expiry. This is useful for debugging — many bugs come from clock skew or unexpected expiry. The decoded header and payload are still fully visible regardless of validity.

Does this work with refresh tokens?
Yes if the refresh token is itself a JWT (which is one common pattern). Many systems use opaque random strings for refresh tokens instead — those are not JWTs and cannot be decoded because they have no structure to decode. If you paste an opaque token, the tool will tell you it does not have a valid JWT structure rather than producing nonsense output.

Is the JWT Decoder free? Are there usage limits?
Completely free, no signup, no daily limit, no token size limit. Decode as many tokens as you want. There are no rate limits because there is no server involved — every decode happens locally on your machine. The tool will continue working forever, even if you lose internet connection after the page loads, since all logic runs in your browser.

Can I save a JWT for later inspection?
Recently decoded tokens are stored locally in your browser using localStorage and listed in the "Recent Tokens" panel. They never leave your device. Click any item to re-load it instantly. Clear individual entries with the X button or wipe the entire history. This is purely a convenience feature — your sensitive tokens are not synced anywhere.

How is this JWT decoder different from jwt.io?
Both decode JWTs client-side, but this tool adds several advantages: (1) automatic Bearer prefix stripping, (2) live expiration countdown that updates every second, (3) human-readable formatting of all standard claim timestamps (exp, nbf, iat), (4) recent-token history stored locally, (5) support for the full algorithm range including modern EdDSA (Ed25519), (6) clearer validation pills showing every check at a glance, and (7) faster page load with no third-party crypto libraries. We also include an explicit safety/legality section so non-developers using this for OAuth learning know exactly what they're looking at.

Can I verify a JWT without knowing the secret or public key?
No — that's the whole point of cryptographic signatures. Without the correct secret (for HMAC) or public key (for RSA/ECDSA/EdDSA), you can decode the header and payload, but you cannot mathematically prove the token was issued by a trusted party. The signature requires the corresponding key to verify. You can still inspect all claims, check expiration, and validate structure — but the "Verified" badge will only appear when you provide the correct verifying key.