JWT Decoder

Paste a JWT token to decode it

Decodes header · payload · claims · expiry · HS256 signature verification

Also accepts Bearer eyJ… format

JWT Decoder Online — Decode & Verify JSON Web Tokens

Share

About this tool

Free JWT Decoder and Verifier

This JWT Decoder is a free, browser-based tool for inspecting, debugging, and verifying JSON Web Tokens. A JWT (JSON Web Token, pronounced "jot") is the industry-standard format — defined by RFC 7519 — for securely transmitting authentication and authorisation data between parties. JWTs are used everywhere: OAuth 2.0 access tokens, OpenID Connect ID tokens, API keys, and session tokens in frameworks like Auth0, Firebase, AWS Cognito, Keycloak, and NextAuth.js all use this format. Every JWT is made of three Base64URL-encoded sections: a header declaring the signing algorithm (HS256, RS256, ES256, etc.), a payload carrying claims like the user's identity, roles, and token expiry, and a cryptographic signature that proves the token has not been tampered with. This decoder instantly splits and decodes any JWT, renders the header and payload as syntax-highlighted JSON, and annotates every recognised claim with a plain-English description so you understand what each field means without reading the RFC. Time-based claims (exp, iat, nbf) are converted to human-readable dates, and a live expiry countdown updates every second. HS256 tokens can be signature-verified directly in your browser using the Web Crypto API — no backend, no API calls, no data ever leaves your machine.

Features

  • Decode any JWT instantly — Base64URL-decodes header and payload into formatted, syntax-highlighted JSON
  • Claims table with plain-English descriptions for 20+ standard JWT (RFC 7519) and OIDC claims
  • Time-based claims (exp, iat, nbf, auth_time) converted to human-readable date strings alongside Unix timestamps
  • Live expiry countdown — colour-coded progress bar and per-second timer show exactly how long until the token expires
  • HS256 HMAC-SHA256 signature verification via the browser's Web Crypto API — no server, no network request
  • Bearer prefix auto-strip — paste directly from HTTP Authorization headers without editing
  • alg:none security warning — amber alert for tokens with no signing algorithm
  • Syntax highlighting for keys, strings, numbers, and booleans across both panels
  • Sample JWT pre-loaded with name, email, roles, scope, iss, aud, and a far-future exp for instant testing
  • 100% client-side — all decoding and verification runs in the browser, nothing is ever sent to a server

How to Use

Paste any JSON Web Token into the input box at the top of the page. The token can be in raw form — three dot-separated Base64URL segments — or prefixed with "Bearer " exactly as it appears in HTTP Authorization headers; the prefix is stripped automatically. As soon as you paste, the tool splits the token and decodes the header and payload in real time, displaying each as indented, syntax-highlighted JSON in the Header and Payload panels. In the Header panel you will see the alg (signing algorithm) and typ fields. In the Payload panel the JSON is followed by a claims table: every recognised field is listed with its decoded value and a plain-English description. Standard time-based claims — exp (Expiration Time), iat (Issued At), nbf (Not Before), and auth_time — are displayed both as Unix timestamps and as human-readable date-time strings so you can read them at a glance. If the token contains an exp claim, a colour-coded progress bar appears above the panels showing how much of the token's lifetime has elapsed, and a live countdown beneath it ticks down every second. For HS256 tokens, scroll to the Signature panel, enter your shared HMAC secret in the input box (you can toggle visibility with the eye button), and click Verify — the tool uses HMAC-SHA256 via the browser's Web Crypto API to validate the signature client-side. If the token uses alg:none, an amber warning appears immediately in the Signature panel. Not sure where to start? Click Sample JWT in the header bar to load a pre-built example token with name, email, roles, scope, iss, aud, and a far-future expiry, then explore all the panels and features before switching to your own tokens.

Common Use Cases

{}
Debug API Authentication
When a request fails with 401 Unauthorized or user permissions look wrong, paste the access token from the Authorization header to instantly see the decoded claims, roles, scope, and whether the token has already expired — without writing a single line of code.
Verify HS256 Signatures
Confirm that a token was signed with the correct shared secret in seconds. Paste the JWT, enter your HMAC secret, click Verify, and get an immediate pass or fail result — all computed locally via the Web Crypto API with no data leaving your browser.
Monitor Token Expiry
The live countdown and colour-coded progress bar let you watch a short-lived token expire in real time — essential when testing refresh token flows, session timeouts, or token rotation behaviour in your authentication pipeline.
Inspect OIDC Identity Tokens
OpenID Connect ID tokens from Auth0, Firebase, Google, Keycloak, and AWS Cognito carry claims like sub, email, name, picture, locale, and roles. Decode them instantly to see exactly what your identity provider is returning for each user.
Security Audits
Check for dangerous patterns — alg:none tokens with no cryptographic protection, excessively long expiry windows, missing iss or aud claims that could allow token reuse, or sensitive personal data in the payload that should never be there.
Learn JWT Internals
If you are new to JWTs or teaching a team, this tool makes it tangible — paste a real token, see the structure, and read the description for every claim. Understand what iss, sub, azp, jti, and at_hash mean without diving into the RFC.

Frequently Asked Questions

A JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) for securely transmitting information between parties as a compact JSON object. A JWT consists of three Base64URL-encoded segments joined by dots: the header, the payload, and the signature. The header declares the token type ("JWT") and the signing algorithm used — such as HS256, RS256, or ES256. The payload contains claims: statements about the subject and additional metadata like user ID, email, roles, and expiry time. The signature is computed from the header and payload using a secret or private key, proving the token was issued by a trusted party and has not been tampered with.

Paste the full JWT into the input field at the top of the page — including or excluding the "Bearer " prefix. The decoder instantly splits it into three parts and Base64URL-decodes the header and payload, displaying them as formatted, syntax-highlighted JSON. Decoding does not require the secret key: the header and payload are only encoded, not encrypted. The signature is shown in its raw Base64URL form and can be verified separately if you have the secret.

Yes, for HS256 (HMAC-SHA256) tokens. Enter the shared secret in the Verify Signature box inside the Signature panel and click Verify. The tool uses the browser's built-in Web Crypto API to re-compute the expected signature from the header and payload and compare it against the token signature — without making any network request. For RS256 (RSA) and ES256 (ECDSA) tokens, verification requires the public key and is noted in the Signature panel.

Yes. All processing — decoding, signature verification, and expiry calculation — runs entirely in your browser using JavaScript and the Web Crypto API. No data is ever transmitted to any server. If you are handling production tokens with sensitive user data, you can disconnect from the internet before pasting to be completely certain nothing leaves your machine.

The tool recognises all seven standard IANA JWT claims from RFC 7519: iss (Issuer), sub (Subject), aud (Audience), exp (Expiration Time), nbf (Not Before), iat (Issued At), and jti (JWT ID). It also supports common OpenID Connect (OIDC) claims: name, given_name, family_name, email, email_verified, picture, locale, roles, scope, azp (Authorized Party), sid (Session ID), at_hash, nonce, and auth_time. Each recognised claim is shown with a plain-English description. Unknown custom claims are displayed without descriptions.

When the payload contains an exp (Expiration Time) claim, the tool calculates what percentage of the token's lifetime has elapsed — using iat (Issued At) as the start time. A colour-coded progress bar fills left to right as the token ages, turning amber then red as expiry approaches. A text countdown shows the remaining time in hours, minutes, and seconds and updates every second. Expired tokens are flagged with a red "Expired" badge and the display shows how long ago they expired.

Yes. When you copy an Authorization header value from browser DevTools, Postman, or an API client, it typically reads "Bearer eyJhbGci...". The tool automatically strips the "Bearer " prefix (case-insensitive) before decoding, so you can paste the full header value directly without any editing.

The JWT specification originally allowed tokens with alg set to "none", meaning no signature is computed or verified. An attacker can exploit a server that accepts alg:none tokens by crafting arbitrary payloads without a valid secret — this is a well-known vulnerability (CVE-2015-9235). This decoder shows an amber warning box when it detects alg:none, reminding you that the token carries no cryptographic protection and should never be accepted by a production server.

Decoding means reading the header and payload — it requires no secret key and simply Base64URL-decodes the first two dot-separated segments. Anyone with the raw token string can decode it, which is why you should never put sensitive secrets directly in a JWT payload. Verifying means checking that the cryptographic signature matches the header and payload using the correct secret or public key, proving the token was issued by a trusted party and has not been modified in transit. Always verify JWTs on the server side before trusting their claims.

Any JWT can be decoded regardless of its signing algorithm, because decoding only involves Base64URL-decoding the header and payload segments. Signature verification in this browser tool currently supports HS256 (HMAC-SHA256). RS256 (RSA-SHA256) and ES256 (ECDSA P-256-SHA256) verification require a public key and are not yet implemented. The algorithm is always visible in the decoded Header panel under the alg field.

Yes. JWTs from any standards-compliant identity provider — Auth0, Firebase Authentication, AWS Cognito, Google OAuth 2.0, Keycloak, Okta, Azure AD, NextAuth.js, and others — follow the same RFC 7519 structure and can be decoded instantly. OIDC-specific claims like sub, email, picture, and azp are all recognised and described. Note that RS256 tokens from these providers (signed with a private key) can be decoded but not signature-verified in the browser without the public key.