JWT Decoder & Debugger

Instantly decode and inspect JSON Web Tokens. Paste any JWT to see its header, payload, and signature with colour-coded panels and human-readable timestamps. Zero server calls — everything runs in your browser.

100% private: your token is decoded entirely in your browser. Nothing is ever sent to a server. Open your browser's Network tab to verify — no requests are made when you paste a token. Learn more ↓

Frequently Asked Questions

What is a JWT (JSON Web Token)?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, URL-safe method for transmitting information between parties as a signed JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: a header (metadata and algorithm), a payload (claims and data), and a signature (cryptographic integrity proof).

Is it safe to paste my JWT into this decoder?

Yes. This tool is 100% client-side — your token is decoded entirely in your browser using JavaScript and is never transmitted to any server. Open your browser's Network tab and you will see zero requests fired when you paste a token. That said, avoid sharing JWTs that carry sensitive bearer permissions in public spaces regardless of what decoder you use.

What do the exp, iat, and nbf claims mean?

These are standard registered JWT claims: exp (Expiration Time) is a Unix timestamp after which the token must not be accepted; iat (Issued At) records when it was issued; nbf (Not Before) marks the earliest time it is valid. This tool automatically converts all three — plus auth_time and updated_at — to human-readable UTC dates displayed inline next to their numeric values.

Can this tool verify the JWT signature?

No. Signature verification requires the secret key (HMAC algorithms like HS256) or the corresponding public key (asymmetric algorithms like RS256 or ES256). This decoder only Base64URL-decodes the header and payload to reveal their contents — it does not validate the cryptographic signature. Always perform signature verification server-side before trusting any JWT claims in a production system.

What JWT signing algorithms are commonly used?

The most common JWT signing algorithms are: HS256/384/512 (HMAC-SHA, symmetric shared secret); RS256/384/512 (RSA, asymmetric key pair); ES256/384/512 (ECDSA, elliptic-curve); and PS256/384/512 (RSA-PSS). The algorithm is declared in the alg field of the JWT header. This decoder reads and displays the algorithm regardless of which one was used.