Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only
- Runs locally
- Category Encoding & Crypto
- Best for Checking small payloads, tokens, hashes, and encoded values quickly.
What this tool does
Free online JSON Web Token decoder. Paste any JWT and instantly see the decoded header, payload (claims), and raw signature. Shows token type, algorithm, issuer (iss), subject (sub), expiry (exp), issued-at (iat), and whether the token is expired. 100% client-side — your tokens never touch our servers.
Tool details
- Input
- Text + Structured content
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- No account required
- Open the page and use it; whether results survive refresh depends on the tool.
- Performance budget
- Initial JS <= 10 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Encoding & Crypto · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How JWT Decoder fits into your work
Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.
Encoding jobs
- Checking small payloads, tokens, hashes, and encoded values quickly.
- Preparing values for APIs, URLs, docs, or support tickets.
- Avoiding account-based tools when the input might be sensitive.
Encoding checks
- Do not paste live secrets unless you are comfortable with local browser handling.
- Confirm whether the operation is reversible before sharing the result.
- For hashes, compare the exact algorithm and casing expected by the receiver.
Good next steps
These links move the current task into a more complete workflow.
- 1 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
- 2 URL Encoder / Decoder Encode and decode URL-unsafe characters — query strings, path segments, full URLs — instant, browser-only Open
- 3 JWT Encoder Encode JWT — pick algorithm (HS256/HS384/HS512), set header/payload/secret, get token. Open
Real-world use cases
Debug a 401 by checking whether the token simply expired
Your API returns 401 and you suspect the access token. Paste it here, read the exp claim, and compare it to now. If exp is 1716200000 and that's three minutes ago, the token expired and your client just needs to refresh — not a permissions bug. This turns a 30-minute rabbit hole into a 10-second check.
Confirm a login bug is the wrong scope, not the wrong user
A user reports they can't reach the admin panel. Paste their token, look at sub to confirm it's really their account, then read the scope or roles claim. If you see scope "read:orders" but the route needs "admin:write", the auth server issued a token with the wrong permissions — fix the role mapping, not the route guard.
Spot a clock-skew failure between two services
Service B rejects tokens that Service A just minted. Decode the token and read iat and nbf against the wall clock on B. If iat is 40 seconds in the future from B's point of view, the two boxes disagree on time and nbf validation trips. The fix is NTP on the hosts, not a code change — the decoded timestamps prove it.
Verify which key an SSO provider used via the kid header
During an Okta or Auth0 rotation, verification starts failing. Decode the header and read the kid field, then check it against the keys in the provider's JWKS endpoint. If the kid points to a key that's no longer published, your service cached a stale JWKS and needs to refetch — a five-second decode tells you exactly which key to chase.
Common pitfalls
Treating a successful decode as proof the token is valid. Decoding only reads claims; a tampered payload still decodes cleanly. Always verify the signature server-side with the issuer's key before trusting anything.
Reading exp as milliseconds. JWT timestamps are Unix seconds, so 1716200000 is 2024, not 1970 — multiply by 1000 only when feeding it into JavaScript's Date(ms) constructor.
Pasting a production token into a random online decoder. Even client-side, copy-paste history and browser extensions can leak it; decode sensitive tokens on a trusted local tool or rotate the secret afterward.
Privacy
Decoding happens entirely in your browser — the token is base64url-decoded and JSON-parsed locally, and never sent to any server. Because the input is a credential, it is deliberately NOT synced to the URL, so you won't leak it by copying or bookmarking the page. For production tokens, prefer decoding on your own machine and rotate the secret if a token was exposed.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- Age Difference Calculator The exact gap between two birthdays — years/months/days, percentage, and the date one person is twice the other's age — browser-only
- AI Eval Planner Generate eval cases, pass criteria, and edge cases from an AI feature, risks, and user path.