JWT Decoder

Decode JWT tokens instantly. View header, payload, signature, expiration timing, parse diagnostics, and verify HS256 or RS256 signatures locally. Free, runs entirely in your browser. No data leaves your machine.

Accepts raw JWTs plus Bearer ... and Authorization: Bearer ... inputs.

Private by default. Decoding happens entirely in your browser.
Paste a token above to decode
 
 
 

JWT debugger

Verify the signature locally

Supports HS256 shared secrets and RS256 public keys. Verification runs entirely in your browser.

Algorithm: decode a token first
Decode a token, then verify it with the matching key.

Token checks

Compare claims against your expected values

Useful for issuer mismatch, wrong audience, subject confusion, and clock-skew debugging.

Decode a token to compare issuer, audience, subject, expiration, and not-before claims.

Compare mode

Compare this token against another JWT

Paste a second token to spot issuer, audience, timing, algorithm, or signature differences. Comparison also runs entirely in your browser.

Decode a token above, then paste another JWT here to compare header, payload, and signature differences.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature.

How this decoder helps you debug tokens faster

This tool does more than show the raw JSON. It highlights important timestamp claims, tells you whether a token is expired or not active yet, explains malformed input with targeted parse errors, and verifies HS256 or RS256 signatures locally when you provide the matching key material. It also cleans common pasted inputs like Bearer and Authorization: Bearer headers automatically.

The three parts

  • Header contains metadata: the signing algorithm (e.g. HS256, RS256) and token type.
  • Payload contains the claims: user data, expiration time, issuer, and any custom fields.
  • Signature is a cryptographic hash that verifies the token hasn't been tampered with. This decoder shows the signature but cannot verify it without the signing key.

Common claims

  • iss (issuer): who created the token
  • sub (subject): who the token represents
  • aud (audience): intended recipient
  • exp (expiration): when the token expires (Unix timestamp)
  • iat (issued at): when the token was created
  • nbf (not before): token is not valid before this time

Common JWT debugging tasks

  • Check whether a token is already expired or will expire soon
  • Confirm that a token is not blocked by an nbf claim
  • Inspect iss, aud, and sub values during auth issues
  • Compare two tokens from different environments, users, or refresh cycles to spot claim drift
  • Copy just the header or payload JSON into logs, tickets, or docs
  • Detect when a pasted token is actually a 5-part encrypted JWE

Frequently Asked Questions

Is this tool safe to use with real tokens? Yes. This decoder runs entirely in your browser. Your token is never sent to any server. You can verify this by disconnecting from the internet and using the tool offline.

Can this tool verify JWT signatures? Yes. It can verify HS256 tokens with a shared secret and RS256 tokens with a PEM-formatted public key. Verification runs locally in your browser and never uploads the token or key.

Why does my token show as expired or not active yet? The decoder compares the exp and nbf claims against your device's current time. If your system clock is wrong, the result may be inaccurate.

Why can't this decoder open my 5-part token? A 5-part token is usually a JWE (encrypted JWT), not a signed JWT. This tool can identify that case and explain why the contents cannot be decoded without decryption support.