Home · Tools · JWT Decoder & Inspector

JWT Decoder & Inspector

Decode and inspect any JWT — header, payload, signature and expiry. Fully client-side.

JWT empty

Header

Payload

Signature

JWT decoder online — inspect tokens without leaking them

This JWT decoder splits a JSON Web Token into its three parts, decodes the Base64URL header and payload, and shows you the signature, the claims, the algorithm, and an expiry countdown — live, in your browser, with no network requests. If you've ever pasted a token into a "online JWT decoder" and immediately regretted it, this tool exists for you.

What gets decoded

Every JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The decoder shows each one in its own pane. The header reveals the signing algorithm (e.g. HS256, RS256) and token type. The payload contains the claims — sub, iss, aud, exp, iat, plus any custom claims your service issues. The signature is opaque without the secret/key, so we display it raw for inspection.

Live expiry countdown

The decoder reads the exp claim and starts a 1-second-tick countdown. When the token is valid, you see Expires in 23m 14s. When it expires, the badge flips to Expired. This is the fastest way to verify whether your access token is actually fresh during local debugging — no need to convert epoch timestamps in your head.

Validity badges

Decoded — token has the correct three-part shape and Base64URL decodes cleanly.
Valid — current time is between nbf and exp.
Expired — exp is in the past.
Not yet valid — nbf is in the future (rare but legitimate for scheduled tokens).
Malformed — wrong number of segments, invalid Base64URL, or non-JSON header/payload.

Important: this does not verify the signature

Verifying a JWT signature requires the signing key (HMAC secret or RSA/EC public key). Pasting your production secret into a website you don't control would be a serious security mistake — so this tool deliberately does not offer signature verification. Use your backend, your CLI (jwt-cli), or a library like jose for verification. Use this tool to inspect claims while debugging.

Privacy

Decoding happens with atob in your browser. The token is never sent over the network. You can paste tokens with sensitive subject IDs, audiences, or custom claims and they stay in your tab. If you want to be paranoid, open the page, disable Wi-Fi, and decode away — it still works.

Common claims explained

iss (issuer) — who issued the token (usually your auth server's URL).
sub (subject) — who the token is about, usually a user ID.
aud (audience) — who is allowed to consume the token.
exp / nbf / iat — expiry, not-before, issued-at (Unix seconds).
jti — unique token ID, useful for revocation lists.

Related tools

FAQ

Does this verify the JWT signature?

No. Verifying a signature requires the signing secret (HS256) or public key (RS256/ES256). Pasting those into a third-party website would be unsafe, so this tool intentionally only decodes.

Are my tokens sent to a server?

No. The decoder runs entirely in your browser using built-in atob() and JSON.parse(). You can verify zero network activity in DevTools.

What does 'Malformed' mean?

The token doesn't have three dot-separated Base64URL parts, or the header/payload aren't valid JSON. Most often this happens when only the payload was copied.

Can I decode a token signed with RS256?

Yes — the algorithm doesn't matter for decoding. The header will show alg: RS256 and the payload decodes the same way. Verification still requires the public key.

Why is the signature shown as raw text?

Signatures are binary bytes encoded as Base64URL. Without the signing key there's nothing meaningful to decode — we display the raw segment so you can copy it for further analysis.