JWT Decoder & Inspector

Inspect JSON Web Tokens instantly — header, payload, claims, expiry status. 100% in-browser, nothing sent to any server.

Paste your JWT token

Paste a JWT token above to decode it.

How to Use

Copy a JWT from your app, API response, browser DevTools (Authorization header or cookie), or identity provider dashboard.
Paste it into the text area above — the token is decoded immediately in your browser. The three parts are color-coded: Header · Payload · Signature.
Review the Claims table for a plain-English explanation of each field — including standard claims like exp, iat, iss, and sub.
Check the Status bar at the top: it shows whether the token is currently valid, expired, or not yet active, based on the exp and nbf timestamps.
Use the Copy button on any panel to copy the decoded JSON for use in documentation or debugging workflows.

About This Tool

A JSON Web Token (JWT) is a compact, URL-safe credential format used in OAuth 2.0, OpenID Connect, and API authentication. It consists of three Base64URL-encoded sections joined by dots: the Header describes the signing algorithm and token type; the Payload holds claims (assertions about a user or session); and the Signature ties the two together and prevents tampering.

This decoder runs entirely in your browser using the Web Crypto API and standard JavaScript — your token never leaves your device. Note that signature verification requires the secret or public key, which this client-side tool does not have access to. Always verify tokens server-side with a trusted JWT library before trusting their claims.

Frequently Asked Questions

Is it safe to paste my JWT here?

For development and staging tokens: yes — this tool is 100% client-side with no network requests. For production tokens that grant real access, avoid pasting them into any online tool. If you must debug a live token, revoke or short-live it first.

Why can't the signature be verified?

Verifying an HMAC signature (like HS256) requires the shared secret. Verifying an RSA/ECDSA signature (like RS256, ES256) requires the issuer's public key. Neither is available client-side without you supplying it. Always verify server-side using a library like jsonwebtoken (Node.js), PyJWT (Python), or golang-jwt (Go).

What do `exp`, `iat`, and `nbf` mean?

iat (issued at) is when the token was created. exp (expiration) is when it becomes invalid — your server should reject tokens past this time. nbf (not before) is the earliest moment the token is valid. All three are Unix timestamps (seconds since 1970-01-01 UTC), defined in RFC 7519.