Decode JWT headers and payloads locally, inspect registered claims, timing, audience and risk signals.
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
Paste a JWT to inspect its claims.
The token stays in the browser. The result will show header metadata, registered claims, timing status and risk findings.
What this tool does
Browser-only JWT decoder and claims inspector for developers debugging authentication flows. Paste a JSON Web Token to decode the header, payload and signature, then review registered claims such as iss, sub, aud, exp, nbf, iat, jti, scope and roles. The inspector highlights expiry status, not-before windows, likely millisecond timestamps, alg=none, missing audience or expiration claims, and the important reminder that decoding is not signature verification. Nothing is uploaded or written to the URL, so bearer tokens stay inside the current tab.
Tool details
- Input
- Text + Structured content
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 32 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How JWT Decoder and Claims Inspector fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 JWT Decoder Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only Open
- 2 JWT Encoder Encode JWT — pick algorithm (HS256/HS384/HS512), set header/payload/secret, get token. Open
- 3 Unix Timestamp Converter Unix timestamp ⇄ human date — seconds / milliseconds / ISO 8601 — UTC and local — browser-only Open
Real-world use cases
Diagnose an API 401 before touching backend code
Paste the bearer token from the failed request and check exp, nbf, iat, iss and aud in one panel. If the token expired two minutes ago or was minted for the wrong audience, you can fix the client refresh or OAuth configuration instead of chasing route handlers.
Verify whether a role or scope is actually present
When a user can log in but cannot access an admin action, decode the token and inspect scope, scp, roles, groups and permissions. Seeing the missing claim makes it clear whether the issue is the identity provider mapping, the token request, or your backend authorization policy.
Catch dangerous JWT debugging shortcuts
Tokens with alg=none, missing exp, future nbf, or millisecond-looking NumericDate values often point to real implementation mistakes. The inspector surfaces those signals as explicit checks so reviewers do not have to infer them from raw JSON.
Compare header key metadata during SSO rotations
During a JWKS or SSO key rotation, read the alg, kid, typ and cty fields before checking your verifier cache. If the kid does not match a currently published key, the problem is probably stale key material rather than the token payload itself.
Common pitfalls
Treating a clean decode as proof of validity. Anyone can base64url-encode JSON; only signature verification and issuer/audience checks make claims trustworthy.
Reading JWT NumericDate values as JavaScript milliseconds. JWT exp, nbf and iat are Unix seconds, so multiplying or dividing at the wrong layer creates confusing clock bugs.
Sharing a debug URL that contains a token. This tool avoids URL state for JWT input because bearer tokens often grant live access while they remain valid.
Privacy
JWT input is treated as sensitive. Decoding and claim inspection happen with plain JavaScript in the browser tab, no API request is made, and the token is never synchronized into the page URL. Clipboard actions only run when you press a copy button. If the token grants production access, rotate it after any accidental disclosure.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only