JWT Decoder

JWT Decoder helps you inspect JSON Web Tokens by decoding the header and payload into readable JSON. It is designed for debugging authentication flows, checking claim values, and confirming token timing without exposing signing secrets. Because JWT segments are Base64URL encoded, this tool works well alongside Base64 Encoder when you need to inspect or reconstruct specific sections during troubleshooting.

How to use

1. Paste a JWT string in header.payload.signature format.
2. Review decoded header and payload JSON instantly.
3. Check exp, iat, and nbf values to understand token lifetime.
4. Copy output for deeper analysis in JSON Formatter.

If you need to compare claim times with server logs, convert and verify values using Unix Timestamp Converter. For signing checks and digests in custom implementations, keep Hash Generator handy while testing algorithms and expected outputs.

Key features

• Instant decode of JWT header and payload segments.
• Readable JSON output for standard and custom claims.
• Automatic interpretation of Unix time claims.
• Browser-side processing for private local inspection.

Common use cases

• Debugging failed login sessions caused by expired tokens.
• Confirming expected issuer, audience, and subject claims.
• Reviewing role or scope claims during authorization testing.
• Diagnosing malformed tokens from mobile, SPA, or API clients.

Technical details

JWT follows RFC 7519 and uses three dot-separated components: header, payload, and signature. The first two segments are JSON objects encoded with Base64URL, where + and / are replaced by - and _ to keep tokens URL-safe. The signature is calculated over base64Url(header) + "." + base64Url(payload).

Common header fields include:

• alg: signing algorithm such as HS256 or RS256
• typ: token type, commonly JWT

Common payload claims include:

• iss issuer, sub subject, aud audience
• exp expiration time, nbf not-before time, iat issued-at time
• jti token identifier

Time claims are numeric Unix timestamps in seconds, not milliseconds. A frequent bug is comparing seconds to Date.now() milliseconds without conversion. Another common issue is clock drift between systems, which can invalidate otherwise correct tokens.

Decoding does not verify trust. A token can decode cleanly and still be forged, expired, revoked, or signed with the wrong key. Always perform verification and claim validation server-side before granting access.

FAQ

Can this tool verify a JWT signature?

No. It decodes and inspects token contents, but signature verification requires the correct secret or public key and must be done in your backend.

Why are exp, iat, and nbf shown as dates?

JWT time claims are Unix timestamps in seconds. The decoder converts them into readable dates so you can quickly validate token timing.

Is it safe to paste production JWTs here?

Decoding is client-side only, but tokens may contain sensitive claims. Share only what your security policy allows and avoid exposing live credentials.

What causes an invalid token format error?

A JWT must contain three dot-separated parts: header, payload, and signature. Missing segments, invalid Base64URL data, or malformed JSON can trigger errors.

How can I inspect nested JSON claims more easily?

Copy the decoded payload into a JSON formatter to expand and validate nested objects before debugging authorization logic.

Privacy note

Token decoding is performed in your browser only. The content is not uploaded or persisted by this tool.