JWT Decoder
Decode and inspect JSON Web Tokens.
Base64url encoded
Signature verification requires the secret key or public key, which is not available client-side. This tool only decodes โ it does not verify signatures.
JWT Decoder
Parses JSON Web Tokens into their three components โ header, payload, and signature โ so you can inspect claims and metadata without a backend service. It handles Base64url decoding, pretty-prints the JSON, and shows human-readable timestamps for standard time claims (iat, exp, nbf).
What is it used for?
- API debugging: inspect access tokens from OAuth 2.0 / OpenID Connect flows to verify claims, scopes, and expiration
- Authentication troubleshooting: check whether a token is expired, issued by the correct provider (iss), or targeted at the right audience (aud)
- Learning JWT structure: understand how JWTs are composed with a visual breakdown of each part
- CI/CD & DevOps: verify tokens generated in pipelines before deploying to production
Step-by-Step Guide
- Paste your JWT token into the input field (Bearer prefix is stripped automatically)
- The header, payload, and signature are decoded instantly
- Review the parsed claims in the payload section
- Check expiration status shown with a badge and relative time
- Copy individual sections or the full decoded output
How it works
A JWT consists of three Base64url-encoded segments separated by dots. This tool splits the token, decodes each segment using the standard Base64url alphabet, and parses the resulting JSON. All processing happens entirely in your browser โ no data is sent to any server. The tool automatically strips Bearer prefixes and shows expiration status in real-time. Note: this tool decodes tokens but does not verify signatures. Signature verification requires the secret or public key, which should never be entered into a web tool.
Tips & Best Practices
- You can paste the full Authorization header value โ the Bearer prefix is stripped automatically
- Time claims (iat, exp, nbf) are shown as both UNIX timestamps and human-readable dates
- Use this tool alongside the Date to Timestamp converter to create test JWT claim values
- Never paste production secret keys into any web tool โ only paste the token itself
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. Everything runs 100% client-side in your browser. No tokens are sent to any server, stored, or logged. You can verify this by checking the Network tab in your browser's developer tools.
What is the difference between decoding and verifying a JWT?
Decoding simply reads the header and payload by Base64url-decoding them โ anyone can do this. Verifying checks the signature against a secret (HMAC) or public key (RSA/EC) to confirm the token hasn't been tampered with. This tool only decodes.
What are the standard JWT claims?
The registered claims defined in RFC 7519 are: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). Applications can add any custom claims they need.
Can I decode expired tokens?
Yes. Expired tokens are decoded normally โ the tool shows an Expired badge and displays when the token expired with a relative time indicator.
Privacy & Security
This tool uses FFmpeg compiled to WebAssembly (WASM). The WASM binary (~25MB) is downloaded from a CDN on first use and cached by your browser. All file processing happens locally on your device - your files are never uploaded to any server. This makes it safe for sensitive, private, or confidential media files. Large files may take longer to process depending on your device's CPU and available memory.