JWT Decoder
Instantly decode JWT tokens and inspect headers, payloads, and signatures. Provides HMAC signature verification, expiration checking, and history storage features.
JWT Decoder
Enter a JWT token to decode automatically
What is a JWT Decoder?
A JWT Decoder is a tool that analyzes JSON Web Tokens (JWT) to inspect the header, payload, and signature, and verify the token’s validity. It’s essential for development and debugging of authentication systems used in APIs, OAuth, SSO, and more.
Simply paste your token and it will be instantly decoded, allowing you to visually inspect all claims including algorithm, expiration time, and issuer information. For HMAC algorithms, you can enter a Secret Key to verify the signature validity.
Use Cases
- API Debugging – Check the contents of REST API authentication tokens and verify expiration status
- OAuth Development – Analyze access_token and id_token when implementing OAuth 2.0 / OpenID Connect
- Authentication Troubleshooting – Diagnose the root cause of errors like “Token expired” or “Invalid signature”
- Security Review – Identify sensitive information in JWTs and check for security vulnerabilities
- Learning Purpose – Hands-on practice to understand JWT structure and operation principles
- Client Development – Test token parsing and expiration handling logic on the frontend
Key Features
- Real-time Decoding – Instantly separates JWT into header, payload, and signature in JSON format upon input
- Expiration Verification – Analyzes exp, iat, and nbf claims to display token validity and remaining time
- HMAC Signature Verification – Verifies signatures for HS256, HS384, and HS512 algorithms using Secret Key
- Detailed Claim Analysis – View all standard claims like iss, sub, aud at a glance
- Syntax Highlighting – Color-coded JSON keys, strings, numbers, and booleans for easy reading
- History Storage – Save the last 5 decoded JWTs locally for quick reuse
- Clipboard Copy – Copy header, payload, and signature individually
- Sample JWT – Load a test sample token instantly to explore features
How to Use
- Enter JWT – Paste the JWT token you want to analyze into the left input field (starting with eyJ…)
- View Results – The right side displays the separated Header (algorithm), Payload (data), and Signature
- Check Expiration – View token validity and remaining time in the status cards at the top
- Verify Signature (Optional) – For HMAC algorithms, enter the Secret Key to display signature validity
- Copy/Use – Use the copy button in each section to copy parts to your clipboard
Understanding JWT Structure
A JWT consists of three parts separated by dots (.):
| Component | Contents | Example |
|---|---|---|
| Header | Algorithm (alg) and token type (typ) | {"alg":"HS256","typ":"JWT"} |
| Payload | Claims – Information contained in the token | {"sub":"123","name":"John"} |
| Signature | Signed value of header+payload with secret key | HMACSHA256(header.payload, secret) |
Standard JWT Claims
| Claim | Description | Example |
|---|---|---|
iss |
Issuer | https://auth.example.com |
sub |
Subject – User ID | user_12345 |
aud |
Audience – Token recipient | my-app |
exp |
Expiration Time | 1735689600 (Unix timestamp) |
iat |
Issued At | 1735686000 (Unix timestamp) |
nbf |
Not Before | 1735686000 (Unix timestamp) |
jti |
JWT ID | abc123xyz |
Supported Algorithms
- HS256 (HMAC + SHA-256) – Symmetric key algorithm, most commonly used. Signature verification possible with Secret Key
- HS384 (HMAC + SHA-384) – Longer hash than HS256, higher security
- HS512 (HMAC + SHA-512) – Longest HMAC hash, maximum security
- RS256, RS384, RS512 – RSA asymmetric key algorithms (decoding only, signature verification not supported)
- ES256, ES384, ES512 – ECDSA elliptic curve algorithms (decoding only)
* Signature verification for RSA and ECDSA algorithms requires a public key. The current version only supports signature verification for HMAC algorithms.
Privacy Protection
This tool operates 100% in your browser. Your JWT token and Secret Key are never sent to any server, and all decoding and signature verification happen only on your device. All data is deleted when you close the browser. (History is saved in local storage and can be deleted anytime using ‘Clear All’)
Details
Results in JWT Decoder are generated from your input values and selected options.
For final decisions, cross-check with official guidelines or expert review.
Frequently Asked Questions
Do I need a Secret Key to decode JWT?
No, the Header and Payload of a JWT are only Base64Url encoded, so they can be decoded without a Secret Key. The Secret Key is only needed for signature verification. Therefore, you should never store sensitive information in a JWT.
The token shows as expired. What should I do?
If the exp (expiration time) claim is in the past compared to the current time, the token is marked as expired. Expired tokens will be rejected by the server, so you need to use a refresh token or log in again to obtain a new token.
Why does it show “Signature Mismatch”?
Signature mismatch occurs when the Secret Key you entered differs from the key used to issue the token. Also, for RSA or ECDSA algorithms, this tool only supports HMAC, so it will show “HMAC Only”. Please verify the correct Secret Key.
What’s the difference between JWT and session-based authentication?
Session-based authentication stores session information on the server and manages session IDs via cookies. In contrast, JWT contains information within the token itself, so the server doesn’t need to maintain state (Stateless). JWT is suitable for microservices, mobile apps, and SPAs, while sessions are suitable for traditional web applications.
What information should NOT be included in a JWT?
The Payload of a JWT is only encoded, not encrypted, so anyone can view it. Therefore, you should never include sensitive information like passwords, credit card numbers, or social security numbers. Only include essential information such as user ID, roles, and expiration time.
Is the JWT I enter sent to a server?
No, this tool operates 100% in the browser (client-side). Your JWT and Secret Key are never sent to any server, and all decoding and verification are processed only in your browser using JavaScript. You can verify this yourself in the network tab.
No comments yet. Leave the first opinion.