JWT Decoder

Inspect tokens secure in your browser.

Header

// Header claims

Payload

// Payload data

Signature

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret )

Related Developer Tools

Hash Generator

Create MD5, SHA-256 for signatures.

Base64 Converter

Decode Base64 strings manually.

JSON Formatter

Beautify minified JSON payloads.

The Ultimate Client-Side JWT Debugger

JSON Web Tokens (JWT) are the open standard (RFC 7519) for securely transmitting information between parties as a JSON object. They are the backbone of modern web authentication, used by OAuth, OpenID Connect, and thousands of APIs worldwide.

Our Pro JWT Decoder helps you inspect the contents of these tokens instantly. Whether you are debugging a login issue, checking if a token has expired, or verifying scopes, this tool gives you visibility into the data hidden inside the Base64 string. Best of all, it works entirely offline in your browser.

Anatomy of a JWT

A JWT is technically a JWS (JSON Web Signature) consisting of three parts separated by dots (`.`):

1. Header

Defines the type of token (`typ: "JWT"`) and the signing algorithm used, such as `HS256` (HMAC) or `RS256` (RSA).

2. Payload

Contains the **Claims**. This is the data being transferred, like user ID (`sub`), expiration (`exp`), and permissions (`scope`).

3. Signature

Generated by taking the encoded Header, encoded Payload, and a **Secret Key**. It ensures the token hasn't been tampered with.

Security Best Practices

  • Don't Trust the PayloadThe payload is readable by anyone (as you can see here!). Never put passwords, social security numbers, or sensitive PII inside a JWT.
  • Always Verify the SignatureOn your server, always check the signature before trusting the token. If the signature is invalid, reject the request immediately.
  • Use Short ExpirationsIf a token is stolen, the attacker has access until it expires. Keep the `exp` time short (e.g., 15 minutes) and use Refresh Tokens for long sessions.
  • Enforce HTTPSJWTs are usually sent in the `Authorization: Bearer` header. If not sent over HTTPS, they can be intercepted easily (Man-in-the-Middle).

Frequently Asked Questions

Is it safe to paste my production JWT here?

Yes. This tool is 100% Client-Side. Your token is processed locally in your browser using JavaScript and is NEVER sent to our servers. However, as a general security best practice, we recommend invalidating tokens after pasting them in any online tool.

How do I verify the signature?

We intentionally do not verify signatures to protect your security. Verifying a signature requires your Private Secret Key (HMAC) or Private Key (RSA/ECDSA). You should NEVER share your private keys with a third-party website. We only decode the payload for inspection.

What happens when a token expires?

When the exp (expiration) timestamp is in the past, the token is considered invalid by the server. Our tool highlights expired tokens in red and shows a countdown for valid ones. Most APIs will reject expired tokens with a 401 Unauthorized error.

Can I edit the JWT payload?

You can change the text, but the Signature will become invalid. The signature is mathematically generated from the content. If you change a single character in the payload, the signature must be recalculated using the original Secret Key. Without the key, you cannot create a valid forged token.

What is the 'sub' claim?

The sub (Subject) claim identifies the principal that is the subject of the JWT. This is usually the User ID or Email Address of the authenticated user.

Status 401 vs 403 with JWT?

A 401 Unauthorized usually means the token is missing, invalid, or expired. A 403 Forbidden means the token is valid, but the user does not have the necessary permissions (scopes) to access the resource.

Difference between JWS and JWE?

Most 'JWTs' are actually JWS (JSON Web Signature), meaning the payload is readable but signed. JWE (JSON Web Encryption) encypts the payload so it is unreadable to anyone without the decryption key. This tool supports JWS.

Why does my JWT start with 'ey'?

Because it is Base64Url encoded. The JSON object { character maps to ey in Base64. Almost all JWTs start with this sequence.

How do I invalidate a JWT?

Since JWTs are stateless, you can't 'delete' them. To invalidate one, you must either: 1. Wait for it to expire (keep lifespans short!), 2. Rotate the Secret Key (invalidates ALL tokens), or 3. Implement a 'Blacklist' or 'Revocation List' (adds state back to your server).

Which algorithm should I use?

For internal microservices, high-speed HS256 (HMAC) is fine. For public-facing APIs (e.g., Auth0, Firebase), use RS256 (RSA) so clients can verify tokens using your Public Key without knowing your Private Key.