How to Decode a JWT Token
- Copy your JWT token — from a browser cookie, an Authorization header, an API response, or a log file.
- Paste it into the input box above. The tool decodes the header and payload instantly as you type — no submit button needed.
- Inspect the claims. The payload panel shows all claims as formatted JSON. The expiry badge tells you whether the token is still valid.
What is a JSON Web Token?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is defined in RFC 7519 and is widely used in authentication and authorization flows — for example, as the access token returned by an OAuth 2.0 server or as a session token in a single-page application.
A signed JWT (technically a JWS — JSON Web Signature) consists of three Base64Url-encoded sections joined by dots:
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1MTIzIn0.SflKxwRJSMeKK...
The first part is the header, the second is the payload (claims), and the third is the signature. Only the first two parts contain readable data — the signature is a cryptographic hash and requires the server's secret to verify.
Standard JWT Claims
The JWT specification defines a set of registered claim names that have specific meanings. Custom claims can be added alongside these.
| Claim | Name | Description |
|---|---|---|
sub | Subject | Who the token is about (user ID, email, etc.) |
iss | Issuer | The server or service that created the token |
aud | Audience | The intended recipient(s) of the token |
exp | Expiration | Unix timestamp after which the token is invalid |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Unix timestamp before which the token is not yet valid |
jti | JWT ID | A unique identifier for this specific token |
Why Not Verify the Signature Here?
Verifying a JWT signature requires the secret key (for HMAC algorithms like HS256) or the public certificate (for RSA/EC algorithms like RS256 or ES256). This key is confidential — it lives on your server and must never be exposed in a browser tool.
Signature verification belongs in your backend code (using a library like jsonwebtoken in Node.js, python-jose in Python, or java-jwt in Java). This tool is for inspecting claims — checking what's inside a token during development and debugging.
Frequently Asked Questions
Does this tool verify the JWT signature?
No. Verifying a signature requires the secret key or public certificate from your server — information that should never be pasted into a browser tool. This debugger only decodes the Base64Url-encoded parts so you can read the claims.
Is my JWT token sent to a server?
No. Decoding happens entirely in your browser. You can confirm this by opening DevTools → Network tab while pasting a token — you will see zero network requests. Your token never reaches any server.
What is the difference between the header, payload, and signature?
The header contains token metadata — the type (JWT) and the algorithm used to sign it (e.g. RS256). The payload contains the claims — the actual data like user ID, roles, and expiry time. The signature is a cryptographic hash of the header and payload; it proves the token hasn't been tampered with and can only be verified with the private key or secret.
What are the most important claims to check?
Start with exp (is the token expired?), sub (which user does it belong to?), iss (was it issued by the expected authority?), and aud (is it intended for your service?). For OAuth tokens, also look for scope or roles to see what the token is authorized to do.