JWT Decoder
Decode JWTs instantly in your browser. See header, payload, claims. Private - never sent to a server.
How to Use JWT Decoder
- Paste your JWT token into the input field
- The header and payload are decoded automatically
- View all claims in a readable JSON format
- Check expiration (exp) and issued-at (iat) times
- Works with tokens from any provider (Auth0, Firebase, Cognito, etc.)
About JWT Decoder
Decode JSON Web Tokens (JWTs) instantly and inspect their contents safely. This decoder runs entirely in your browser - your tokens are never uploaded to any server, making it safe for production tokens. See the header (algorithm, token type), payload (all claims including sub, iat, exp, custom claims), and signature. Perfect for debugging authentication issues, understanding OAuth flows, or inspecting API tokens.
Frequently Asked Questions
Does this verify the JWT signature?
No, this tool only decodes and displays the token contents. It doesn't verify signatures - that requires the secret key which should stay on your server.
Is it safe to paste my production JWT here?
Yes! All decoding happens locally in your browser using JavaScript. Your token is never sent to any server, never logged, never stored. You can even use this tool offline.
What parts of a JWT can I see?
You can see the header (algorithm like HS256/RS256, token type), payload (all claims including sub, iat, exp, iss, aud, and custom claims), and the signature (encoded, not decoded).
Why can't I decode the signature?
The signature is a cryptographic hash that can't be decoded. It's used to verify the token wasn't tampered with, not to store data.
What does each standard claim mean?
Common claims include sub (subject/user ID), iat (issued at), exp (expiration), iss (issuer), aud (audience), and nbf (not before). Custom claims vary by application.
Why does my token show as expired?
The exp claim is a Unix timestamp. If it's in the past, the token has expired. Compare it to the current time to see how long ago it expired.