JWT Decoder
Decode JWT tokens instantly. View header, payload, signature, expiration timing, parse diagnostics, and verify HS256 or RS256 signatures locally. Free, runs entirely in your browser. No data leaves your machine.
Accepts raw JWTs plus Bearer ... and Authorization: Bearer ...
inputs.
JWT debugger
Verify the signature locally
Supports HS256 shared secrets and RS256 public keys. Verification
runs entirely in your browser.
Token checks
Compare claims against your expected values
Useful for issuer mismatch, wrong audience, subject confusion, and clock-skew debugging.
Claim help
Why these claims matter
Quick reminders for the standard fields showing up in this token.
Compare mode
Compare this token against another JWT
Paste a second token to spot issuer, audience, timing, algorithm, or signature differences. Comparison also runs entirely in your browser.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.
How this decoder helps you debug tokens faster
This tool does more than show the raw JSON. It highlights important timestamp claims,
tells you whether a token is expired or not active yet, explains malformed input with
targeted parse errors, and verifies HS256 or RS256 signatures locally when you provide
the matching key material. It also cleans common pasted inputs like Bearer
and Authorization: Bearer headers automatically.
The three parts
- Header contains metadata: the signing algorithm (e.g. HS256, RS256) and token type.
- Payload contains the claims: user data, expiration time, issuer, and any custom fields.
- Signature is a cryptographic hash that verifies the token hasn't been tampered with. This decoder shows the signature but cannot verify it without the signing key.
Common claims
- iss (issuer): who created the token
- sub (subject): who the token represents
- aud (audience): intended recipient
- exp (expiration): when the token expires (Unix timestamp)
- iat (issued at): when the token was created
- nbf (not before): token is not valid before this time
Common JWT debugging tasks
- Check whether a token is already expired or will expire soon
- Confirm that a token is not blocked by an
nbfclaim - Inspect
iss,aud, andsubvalues during auth issues - Compare two tokens from different environments, users, or refresh cycles to spot claim drift
- Copy just the header or payload JSON into logs, tickets, or docs
- Detect when a pasted token is actually a 5-part encrypted JWE
Frequently Asked Questions
Is this tool safe to use with real tokens? Yes. This decoder runs entirely in your browser. Your token is never sent to any server. You can verify this by disconnecting from the internet and using the tool offline.
Can this tool verify JWT signatures? Yes. It can verify HS256
tokens with a shared secret and RS256 tokens with a PEM-formatted public key.
Verification runs locally in your browser and never uploads the token or key.
Why does my token show as expired or not active yet? The decoder
compares the exp and nbf claims against your device's current time.
If your system clock is wrong, the result may be inaccurate.
Why can't this decoder open my 5-part token? A 5-part token is usually a JWE (encrypted JWT), not a signed JWT. This tool can identify that case and explain why the contents cannot be decoded without decryption support.