DevPik Logo

JWT Decoder

Decode JSON Web Tokens and view header and payload data.

Why Use JWT Decoder?

When an API rejects your request with "invalid token" or "token expired", you need to see what's actually inside the JWT — fast. Most "online JWT decoder" tools POST the token to their server, which is exactly the wrong behaviour for something that may be a valid access token with live permissions. This decoder runs the Base64URL split in-browser, so you can inspect production tokens without leaking them. It also surfaces the claims as a readable JSON tree, making it easy to spot the wrong audience, a stale issuer, or an expired `exp` timestamp.

How to Use JWT Decoder

  1. Paste your complete JWT token (the long string with two dots) into the input field.
  2. The tool automatically decodes and displays the Header (algorithm, type) and Payload (claims, expiration, issuer) in formatted JSON.
  3. Review the decoded information including token expiration time, issuer, subject, and custom claims.

Worked Examples

A minimal HS256 token

Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNjkzNDU2MDAwfQ.signature
Output
Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"1234567890","name":"Jane Doe","iat":1693456000}

iat is a Unix timestamp — the decoder renders it as a human-readable date.

Token with audience and expiry

Input
Paste any JWT containing exp and aud claims
Output
Payload: {
  "sub":"user-42",
  "aud":"https://api.example.com",
  "exp":1696048000
}
Expires: 2023-09-30 04:26:40 UTC (expired 18 months ago)

An obvious "expired" banner makes stale-token bugs immediate.

RS256 signed token

Input
JWT with alg: RS256
Output
Header shows RS256 — signature cannot be verified client-side without the issuer's public key. Payload and claims still decode normally.

Use your backend or openssl for signature verification.

About JWT Decoder

The JWT Decoder lets you inspect and debug JSON Web Tokens (JWTs) without sending them to any server. JWTs are the standard for authentication and information exchange in modern web applications, used by OAuth 2.0, OpenID Connect, and virtually every API that requires authentication. Our decoder splits the token into its three components — Header, Payload, and Signature — and displays each as formatted, readable JSON. The Header reveals the signing algorithm (HS256, RS256, etc.) and token type. The Payload shows all claims including standard ones like expiration (exp), issued-at (iat), issuer (iss), and audience (aud), plus any custom claims. This is invaluable for debugging authentication issues, verifying token contents during development, and understanding API security flows. Crucially, all decoding happens client-side — your tokens never leave your browser.

Troubleshooting & Common Issues

"Invalid token" — the decoder rejects my JWT

A JWT must have exactly three Base64URL-encoded segments separated by dots (header.payload.signature). Paste the complete token — sometimes copying from a curl log omits the signature segment or pastes extra whitespace. Also check for a leading "Bearer " prefix, which needs to be stripped before decoding.

Claims look like numbers (e.g., `exp: 1696048000`) — what do they mean?

Standard time claims (exp, iat, nbf) are Unix timestamps in seconds. The decoder renders them as human-readable dates next to the raw value. A past exp means the token is expired; a future nbf means it's not yet valid.

The signature segment looks random — is that normal?

Yes. The signature is a cryptographic MAC (HS256) or digital signature (RS256/ES256) over the header and payload. It's not meant to be human-readable. Verifying the signature requires the shared secret (HS) or the issuer's public key (RS/ES) — use your backend's JWT library or jwt.io with a manually pasted key to verify.

I decoded the token but the backend still rejects it

Decoding success only proves the structure is valid Base64URL. Rejection usually means: (1) signature fails verification (wrong key/algorithm), (2) exp has passed, (3) aud doesn't match your API, or (4) iss is from a different OAuth provider. Check each claim against what your backend expects.

Frequently Asked Questions

Is it safe to decode JWTs in this tool?

Yes. JWT decoding happens entirely in your browser. Your tokens are never sent to any server. This is critical because JWTs often contain sensitive information like user IDs, roles, and permissions.

Does this tool verify the JWT signature?

This tool decodes and displays the token's contents but does not verify the cryptographic signature (which requires the secret key or public key). It's designed for inspection and debugging, not signature validation.

What are common JWT claims?

Standard claims include: exp (expiration time), iat (issued at), nbf (not before), iss (issuer), sub (subject/user ID), aud (audience), and jti (unique token ID). Applications also add custom claims like roles, permissions, and user metadata.

Why does my JWT have three parts separated by dots?

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm info), the Payload (claims/data), and the Signature (cryptographic verification). This structure allows the token to be self-contained and verifiable.

What's the difference between HS256 and RS256?

HS256 uses a shared secret (both issuer and verifier know the same key) — simple but the secret must never leak. RS256 uses asymmetric keys: the issuer signs with a private key, verifiers check with a public key that can be safely distributed. RS256 is the standard for third-party APIs and OpenID Connect.

Can I decode an expired or invalid JWT?

Yes — decoding only cares about the Base64URL structure. The decoder will happily show the payload of an expired or signature-invalid token, and it flags `exp` if it's in the past so you can spot expiration bugs quickly.

Is it safe to paste a production JWT into this tool?

Because decoding is 100% client-side, the token never leaves your browser. That said, consider whether your browser has extensions that read page content, and avoid pasting production tokens on shared machines. For maximum safety on sensitive tokens, use a local CLI like `jq` piped to `base64 -d`.

Related Tools

Base64 Encoder / Decoder

Encode text to Base64 format or decode from it.

JSON Formatter

Format, beautify, validate and convert JSON data with syntax highlighting, tree view, and auto-fix.

UUID / GUID Generator

Generate random UUIDs (Universally Unique Identifiers) instantly.

URL Encoder / Decoder

Safely encode URL components or decode URL-encoded strings.

Was this tool helpful?