JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are the standard mechanism for authentication in modern web applications and APIs. When you log into a website or call an API with a bearer token, you're almost certainly using a JWT.

A JWT consists of three Base64URL-encoded parts separated by dots: the header (specifying the algorithm and token type), the payload (containing claims like user ID, roles, and expiration time), and the signature (used to verify the token hasn't been tampered with). Common algorithms include HS256 (HMAC with SHA-256) for symmetric signing and RS256 (RSA with SHA-256) for asymmetric signing.

This JWT decoder parses any JWT token and displays its header, payload, and signature in a readable format. It automatically detects and formats standard claims like iat (issued at), exp (expiration), and nbf (not before), converting Unix timestamps to human-readable dates. It also shows whether the token is expired. All decoding happens in your browser — your tokens never leave your machine.

1. Paste your JWT — Copy a JWT token (starting with eyJ...) into the input field. The decoder begins parsing as you type.
2. Click "Decode" — The token is split into its three parts and each is Base64URL-decoded and parsed as JSON.
3. Inspect the header — View the algorithm (alg), token type (typ), and any additional header claims like kid (key ID).
4. Inspect the payload — View all claims including sub (subject), iss (issuer), exp (expiration), custom claims, and more. Timestamps are shown in human-readable format.
5. Check expiration — The decoder shows whether the token is currently expired, along with the exact issued-at and expiration timestamps.

• Real-time decoding — The token is parsed as you type, giving instant feedback without clicking a button.
• Timestamp formatting — Standard JWT timestamps (iat, exp, nbf) are converted from Unix epochs to human-readable dates and times.
• Expiration checking — Immediately see whether the token is expired, with a clear visual indicator (green for valid, red for expired).
• Syntax-highlighted JSON — Header and payload are displayed with color-coded keys, strings, numbers, booleans, and null values.
• Section copying — Copy the header, payload, or signature individually with dedicated copy buttons.
• Algorithm detection — Shows the signing algorithm (HS256, RS256, ES256, etc.) and token type in badge format.
• 100% client-side — Your JWT tokens never leave your browser. No server, no uploads, no logging.

• Debugging authentication — Decode a JWT from your browser's local storage, cookies, or API response to check its claims and expiration.
• API development — Inspect tokens generated by your auth server to verify they contain the correct claims, scopes, and expiration times.
• Token troubleshooting — Diagnose "401 Unauthorized" errors by checking if the token is expired, missing required claims, or using the wrong algorithm.
• Learning JWT structure — Understand how JWTs work by decoding sample tokens and seeing the header, payload, and signature components.
• Security auditing — Check what information is stored in JWTs to identify tokens that expose sensitive data (JWTs are encoded, not encrypted).