What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64-encoded parts separated by dots: a header (algorithm and token type), a payload (claims such as user ID and expiration), and a signature that verifies the token has not been tampered with.

Is it safe to paste my JWT here?

Yes. This tool runs entirely in your browser. Your token is never sent to any server — all decoding and verification happens client-side using JavaScript. You can verify this by disconnecting from the internet and using the tool offline.

Client-Side Only — Your JWT tokens are decoded entirely in the browser. No data is sent to any server.

JWT Decoder

Encoded Token

Signature Verification

Secret base64 encoded

Header

Decoded header will appear here...

Payload

Decoded payload will appear here...

Signature

Signature will appear here...

Real-time Decoding

Instantly decode JWT tokens as you type with debounced processing.

100% Client-Side

Your tokens never leave the browser. Completely private and secure.

Signature Verification

Verify HMAC signatures (HS256/384/512) using the Web Crypto API.

What Is JWT Decoder?

JWT Decoder is a free online tool that lets you decode and inspect JSON Web Tokens (JWTs) entirely in your browser. Paste any JWT to instantly view its header, payload (with human-readable timestamps), and signature — without sending any data to a server.

Key Features

Real-time decoding — header, payload, and signature are parsed instantly as you type
JSON syntax highlighting with color-coded keys, strings, numbers, booleans, and null values
Automatic timestamp conversion for iat, exp, nbf, and auth_time fields with relative expiration display
HMAC signature verification (HS256, HS384, HS512) using the Web Crypto API
One-click copy for decoded header and payload JSON
Algorithm auto-detection from the token header

How to Use

Paste your JWT token into the input area on the left. The header, payload, and signature will be decoded and displayed on the right in real time. To verify the signature, enter your secret key in the Signature Verification section. The tool supports HS256, HS384, and HS512 algorithms. Check the "Secret base64 encoded" box if your secret key is base64-encoded.

Common Use Cases

Debugging authentication issues by inspecting token claims
Verifying token expiration and issued-at timestamps
Checking JWT structure and algorithm before deployment
Validating HMAC signatures during API development
Learning about JWT structure and standards

Frequently Asked Questions

Is my JWT sent to any server?: No. All decoding and signature verification happens entirely in your browser using JavaScript and the Web Crypto API. Your tokens are never transmitted over the network.
Which algorithms are supported for signature verification?: Currently, HMAC-based algorithms (HS256, HS384, HS512) are supported for signature verification. RSA and ECDSA algorithms are displayed in the header but verification is not yet available.
Can I decode expired tokens?: Yes. The decoder works on any valid JWT structure regardless of whether it has expired. Expired tokens will show a red badge indicating how long ago they expired.
What is Base64URL encoding?: Base64URL is a variant of Base64 encoding used in JWTs. It replaces "+" with "-" and "/" with "_", and removes padding "=" characters, making it safe for use in URLs and HTTP headers.

JWT Decoder

Signature Verification

Header

Payload

Signature

Real-time Decoding

100% Client-Side

Signature Verification

What Is JWT Decoder?

Related Tools

Key Features

How to Use

Common Use Cases

Frequently Asked Questions