JWT Decoder
Decode a JSON Web Token and optionally verify its signature, right in your browser.
Decoded live as you paste, no key needed. Nothing leaves your browser, but treat any token as a secret.
Registered claims reference
issIssuer: who created and signed the token.subSubject: who or what the token is about.audAudience: who the token is meant for.expExpiration: the token is invalid after this time.nbfNot before: the token is invalid before this time.iatIssued at: when the token was created.jtiJWT ID: a unique identifier for the token.How to decode and verify a JWT online
Paste the token
Drop a JWT into the input. The header and payload are decoded the moment the token lands, with no button to press.
Check the claims
Registered claims are labelled, and exp, iat, and nbf are shown as dates in your local time zone with the expiry flagged valid or expired.
Read the header and payload
Both parts are shown as indented JSON, with the three token segments colour-coded so the algorithm, key ID, and custom claims are easy to scan.
Verify the signature
Enter the shared secret for an HS256 token, or a public key for RS256, PS256, or ES256, and the signature is checked in your browser.
Why use this tool
Instant header and payload view
The first two segments of the token are decoded and pretty-printed as JSON the moment you paste, with each of the three parts colour-coded.
Optional signature verification
Confirm an HS256, HS384, or HS512 token with its secret, or an RS256, PS256, or ES256 token with a public key. Verification runs entirely in your browser.
Time claims translated
exp, iat, nbf, and auth_time are raw Unix timestamps inside the token; here they appear as readable dates in your local time zone.
Expiry status at a glance
The exp claim is compared against the current time and labelled expired or valid, and a future nbf is flagged as not yet valid.
Security flags surfaced
The algorithm is labelled symmetric or asymmetric, and a token whose alg is "none" is called out as unsigned so it is never mistaken for trustworthy.
Tokens stay on your machine
Decoding and verification use only functions built into the browser. A pasted token, secret, or key is never sent, stored, or logged anywhere.
About this tool
This JWT decoder splits a JSON Web Token on its dots and decodes the first two segments, the header and the payload, from Base64URL into pretty-printed JSON. It works live as you paste, and colour-codes the three parts of the raw token so the header, payload, and signature are easy to tell apart. Registered claims are labelled with their meaning, and the time claims (exp, iat, nbf, and auth_time) are shown as dates in your local time zone, with the expiry marked expired or valid.
Decoding a token needs no key, but you can optionally verify its signature too. For an HS256, HS384, or HS512 token, enter the shared secret. For an RS256, PS256, or ES256 token, paste the matching public key as a PEM that begins with "BEGIN PUBLIC KEY" or as a JWK. The signature is then checked entirely in your browser, and the result reads verified only when the check genuinely passes. A token whose algorithm is "none" is flagged as unsigned.
The usual reason to reach for this is debugging authentication: confirming which algorithm and key ID the header names, checking whether a 401 really comes down to an expired token, or proving that a token was signed by the key you expect. Because tokens frequently carry live session credentials, everything runs on your device and nothing you paste is transmitted, but you should still treat any token, secret, or key as a secret. For raw timestamp values outside a token, the Unix timestamp converter does the same date translation, Base64 encode and decode handles arbitrary Base64 strings, and the JSON formatter will reformat a copied payload.
Frequently asked questions
- What is a JWT?
- A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64URL parts separated by dots: a header, a payload of claims, and a signature. It is commonly used for authentication and to pass identity and authorization data between services.
- Can this tool verify the signature?
- Yes, optionally. Decoding the header and payload needs no key, but you can also verify the signature by entering the shared secret for an HS256, HS384, or HS512 token, or a public key for an RS256, PS256, or ES256 token. The check runs in your browser and only reports success when the signature genuinely matches. Without a key, the tool decodes but does not claim the token is authentic.
- What algorithms and key formats are supported?
- Verification covers the HS256, HS384, and HS512 shared-secret algorithms and the RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, and ES512 public-key algorithms. For public-key tokens, paste the key as a PEM that begins with "BEGIN PUBLIC KEY" or as a JWK. A token whose alg is "none" is flagged as unsigned and has nothing to verify.
- How are exp, iat, and nbf shown?
- Those standard claims are stored as numeric Unix timestamps. The decoder lists them as human-readable dates and times in your local zone, flags whether an exp (expiry) is in the past, and marks a token as not yet valid when its nbf is in the future. The raw numeric values remain visible in the decoded payload JSON.
- Is my token sent anywhere?
- No. Decoding and verification happen entirely in your browser. Your token, any secret, and any key never leave your device, are never uploaded, and are not stored or logged. Still, treat any token you paste here as a secret.
- What if the token is malformed?
- If the input is not a well-formed JWT, the tool shows an inline message explaining which segment failed to decode instead of crashing. A key that cannot be read produces a friendly message rather than an error, and empty input simply shows nothing.
Related tools
Unix Timestamp Converter
Convert Unix epoch timestamps in seconds or milliseconds to a readable date, and back again.
Time Zone Converter
See one moment in time across multiple time zones at once, with offsets and day shifts.
API Key Generator
Generate cryptographically random API keys and tokens in hex, base62, or base64url, with control over length, an optional prefix, and bulk output.
ASCII Table Reference
The full ASCII character set with decimal, hex, octal, binary, and HTML codes. Search by code, character, or name.
Atbash Cipher
Mirror the alphabet so A swaps with Z, B with Y, and so on. Atbash is its own inverse, so one field both encodes and decodes as you type.
Base32 Encoder and Decoder
Encode text to standard Base32 and decode Base32 back to text, following RFC 4648.