Diagnostic suite · live

JWT Decoder

Decode a JSON Web Token's header and payload. Signature verification is NOT performed — never trust decoded claims without server-side verification.

Algorithm
HS256
Type
JWT
Subject
12345
Expiration
Token
Paste your JWT below
Header
alg / typ / kid
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
Claims & data
{
  "sub": "12345",
  "name": "Jane Doe",
  "iat": 1700000000
}
Standard claims
Issued at (iat)
2023-11-14T22:13:20.000Z
Subject (sub)
12345

About the JWT Decoder

The JWT Decoder parses any JSON Web Token and shows you the decoded header, payload and signature — with syntax highlighting, timestamp humanization (exp, iat, nbf), and a warning if the token has expired. JWTs are the ubiquitous format for API authentication and single sign-on, used by Auth0, Okta, Firebase, Cognito, Supabase and roughly every modern auth system.

Developers debug JWTs constantly — verifying that the token from a login flow contains the expected claims, checking why an API is returning 401 (often expired token), inspecting a Cognito or Auth0 token during integration, and confirming that a signed payload contains what the sender intended. This tool runs entirely in your browser, so your tokens stay on your device.

Important: this tool decodes JWTs but does not verify signatures. Signature verification requires the signing key (secret for HS256, public key for RS256/ES256). Decoding without verification is safe for debugging but never sufficient for trust — production code must always verify signatures.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Header, payload and signature displayed clearly
  • Timestamp claims (exp, iat, nbf) humanized
  • Expiry warning if the token is stale
  • Runs in your browser — tokens never leave your device
Related searches: jwt decoder · jwt parser · json web token decoder · jwt.io alternative · decode jwt online · auth0 token decoder

Frequently asked questions

A JSON Web Token — a compact, URL-safe format for representing claims between two parties. Structure: header.payload.signature, each base64url-encoded. Used for API auth, SSO, one-time links and passwordless flows.