All Tools / Dev Tools / JWT Decoder — Decode JSON Web Tokens Online
Encoded Token
Decoded
Header 
Decoded header appears here.
Payload 
Decoded payload appears here.
Decoded Claims click a row to locate in payload
Claims appear here with human-readable descriptions.
Signature 
Signature info appears here.
All JWT decoding runs 100% in your browser. Your tokens never leave your device.

JWT Decoder — Decode JSON Web Tokens Online

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit information between parties. Three parts separated by dots: a Header (algorithm and type), a Payload (claims and data), and a Signature (verification). Authentication systems, OAuth flows, and API gateways all use JWTs to pass identity and authorization data without round-tripping to a session store.

How to use

  1. Paste your token into the Encoded Token pane on the left.
  2. The Header shows the signing algorithm (HS256, RS256, etc.) and token type.
  3. The Payload shows the claims: user data, expiration, scopes, anything the issuer chose to include.
  4. The Decoded Claims table adds human-readable descriptions for standard claims (iss, sub, aud, exp, iat…). Click a row to flash the matching key in the Payload above.
  5. The expiration badge in the toolbar shows whether the token is valid, expired, or has no exp claim.

Frequently Asked Questions

Does this decoder verify the JWT signature?

No. Signature verification needs the secret key (HS256) or public key (RS256), and accepting those in a browser tool would defeat the purpose of keeping them private. This decoder parses and displays the header, payload, and claims so you can inspect a token's contents, but the signature line just shows the raw value so you can compare it elsewhere.

Why does my JWT show as 'Invalid'?

A JWT must have exactly three parts separated by dots: header.payload.signature. The most common causes of failure are: copying with extra whitespace, missing the third part (unsigned tokens still need an empty third segment after the dot), or base64url decoding errors when the token was mangled in transit. Try re-copying from the source and pasting again.

Does the tool see my JWT?

No. The decoder runs in your browser using built-in atob() and JSON.parse(). Your token is never sent to any server, never logged, and never stored. You can verify this by opening DevTools' Network tab while pasting a token. No requests fire.

What's the difference between iat, nbf, and exp?

iat (issued at) is when the token was created. nbf (not before) is the earliest time the token may be accepted, useful for scheduling tokens that activate later. exp (expiration) is when the token stops being valid. All three are Unix timestamps in seconds, and this tool shows the human-readable local time underneath each one.

Why is the algorithm shown but no green checkmark?

The decoder displays whatever algorithm the header declares (HS256, RS256, ES256, etc.), but it does not check that the signature matches. A token with alg: none or a mismatched algorithm will still decode here. That is by design. Verification belongs in your backend, not in a browser tool.

Related Guide

How to Decode a JWT Without Verifying the Signature →