News
jwt_decoder.js READY
FORMAT:  header.payload.signature
// token preview
Paste a token above to see it highlighted…
 HEADER — algorithm & type
 PAYLOAD — claims & data
 SIGNATURE — raw Base64Url
Signature not verified. To verify this token, you need the secret key or public key used to sign it. This tool only decodes — it cannot confirm authenticity.
Raw signature
§ Docs How to Use
Copy your JWT token
Find your token in an API response, browser DevTools (Application → Cookies / LocalStorage), or auth header. It starts with eyJ and contains exactly two dots separating three parts.
Paste into the input
Paste the full token into the text area. Watch the preview highlight each part: header, payload, and signature in distinct colors.
Click Decode Token
Hit the Decode button (or press Ctrl+Enter). The tool Base64Url-decodes each section and displays it as formatted JSON. Switch between Header, Payload and Signature tabs to inspect each part.
Inspect claims
The Payload tab shows standard claims (exp, sub, iat, iss) with plain-English explanations. Expired tokens are flagged in red automatically.
? FAQ Frequently Asked Questions
A JWT (JSON Web Token) is a compact, URL-safe way to transmit information between parties as a signed JSON object. It has three parts separated by dots: a header (algorithm), a payload (claims/data), and a signature (integrity proof). JWTs are widely used for authentication and API authorization.
Yes — completely. This tool runs 100% in your browser. Your token is never sent to any server, never logged, never stored. You can verify by disconnecting your internet and it will still work. The decoding is pure JavaScript running on your device.
The payload contains "claims" — statements about the user or entity. Standard claims include sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience), and nbf (not before). Applications can also add any custom claims.
Yes. Decoding only Base64Url-decodes the parts — it does not validate the expiry time. Any structurally valid JWT will decode. The tool shows the exp value and flags expired tokens in red so you can immediately see they've expired.
No. Verification requires the secret key (HMAC: HS256, HS512) or public key (RSA/ECDSA: RS256, ES256) used to sign the token. This tool only decodes — it cannot confirm the token is authentic. For server-side verification use jsonwebtoken (Node.js), PyJWT (Python), or your language's equivalent.