JWT Decoder
Decode a JSON Web Token's header and payload. Signature verification is NOT performed — never trust decoded claims without server-side verification.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "12345",
"name": "Jane Doe",
"iat": 1700000000
}- Issued at (iat)
- 2023-11-14T22:13:20.000Z
- Subject (sub)
- 12345
About the JWT Decoder
The JWT Decoder parses any JSON Web Token and shows you the decoded header, payload and signature — with syntax highlighting, timestamp humanization (exp, iat, nbf), and a warning if the token has expired. JWTs are the ubiquitous format for API authentication and single sign-on, used by Auth0, Okta, Firebase, Cognito, Supabase and roughly every modern auth system.
Developers debug JWTs constantly — verifying that the token from a login flow contains the expected claims, checking why an API is returning 401 (often expired token), inspecting a Cognito or Auth0 token during integration, and confirming that a signed payload contains what the sender intended. This tool runs entirely in your browser, so your tokens stay on your device.
Important: this tool decodes JWTs but does not verify signatures. Signature verification requires the signing key (secret for HS256, public key for RS256/ES256). Decoding without verification is safe for debugging but never sufficient for trust — production code must always verify signatures.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- Header, payload and signature displayed clearly
- Timestamp claims (exp, iat, nbf) humanized
- Expiry warning if the token is stale
- Runs in your browser — tokens never leave your device
Frequently asked questions
Related tools
Pretty-print, validate & minify JSON.
Live JavaScript regex playground.
Percent-encode & decode URLs.
SHA-1/256/384/512 via Web Crypto.
Sign JWTs with HS256/384/512 in your browser.
Lint Content-Security-Policy for unsafe patterns.