JWT Decoder

Decode JWT headers and payload claims directly in your browser. This tool helps inspect token structure, registered claims, and expiry windows, but it does not verify signatures or decrypt JWE tokens.

Paste a token

Supports header.payload.signature JWTs and 2-part header.payload samples. Nothing is sent to a server.

JSON Web Token

Use this to inspect payloads locally before you reach for your auth provider logs.

Structure

Signed JWT (3 segments)

The tool decodes only the first two JSON segments.

Status

Active

exp says this token remains valid in 14 years.

Header fields

Useful for spotting alg, typ, kid, and other metadata quickly.

Payload claims

Signature present

Token status

Active

exp says this token remains valid in 14 years.

JWT summary

Quickly inspect the most useful header and payload fields without digging through raw JSON.

Algorithm

HS256

Type

JWT

Issuer

https://devtoolbox.dev

Subject

user_123456

Audience

devtoolbox-web, internal-tools

Key ID

devtoolbox-demo

Header

Header metadata usually tells you how the token was signed and which key to look for.

Parsed JSON

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "devtoolbox-demo"
}

Decoded text

{"alg":"HS256","typ":"JWT","kid":"devtoolbox-demo"}

Payload

Payload claims describe the subject, issuer, audience, and validity window.

Parsed JSON

{
  "iss": "https://devtoolbox.dev",
  "sub": "user_123456",
  "aud": [
    "devtoolbox-web",
    "internal-tools"
  ],
  "scope": "read:profile debug:token",
  "iat": 1760000000,
  "nbf": 1760000000,
  "exp": 2208988800
}

Decoded text

{"iss":"https://devtoolbox.dev","sub":"user_123456","aud":["devtoolbox-web","internal-tools"],"scope":"read:profile debug:token","iat":1760000000,"nbf":1760000000,"exp":2208988800}

Raw segments

Sometimes you need the exact Base64URL segments for debugging middleware, proxies, or CLI tools.

Header segment

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRldnRvb2xib3gtZGVtbyJ9

Payload segment

eyJpc3MiOiJodHRwczovL2RldnRvb2xib3guZGV2Iiwic3ViIjoidXNlcl8xMjM0NTYiLCJhdWQiOlsiZGV2dG9vbGJveC13ZWIiLCJpbnRlcm5hbC10b29scyJdLCJzY29wZSI6InJlYWQ6cHJvZmlsZSBkZWJ1Zzp0b2tlbiIsImlhdCI6MTc2MDAwMDAwMCwibmJmIjoxNzYwMDAwMDAwLCJleHAiOjIyMDg5ODg4MDB9

Signature segment

signature-demo

Time-based claims

These registered claims usually drive session validity and auth middleware decisions.

Issued At

2025-10-09T08:53:20.000Z

Local: 10/9/2025, 8:53:20 AM

Unix: 1760000000

5 months ago

Not Before

2025-10-09T08:53:20.000Z

Local: 10/9/2025, 8:53:20 AM

Unix: 1760000000

5 months ago

Expires

2040-01-01T00:00:00.000Z

Local: 1/1/2040, 12:00:00 AM

Unix: 2208988800

in 14 years

Important note

JWT decoding and JWT verification are different operations.

This page only decodes Base64URL-encoded JSON in the header and payload. It does not prove the token was issued by a trusted authority.

Signature verification still requires the correct secret or public key, and encrypted JWE tokens require decryption before their payload can be inspected.

Common use cases

Practical ways developers use the JWT decoder in real workflows.

Inspect auth tokens

Decode a JWT to check the issuer, audience, expiration, and custom claims during authentication debugging.

Verify token expiry

Quickly see when a token was issued and when it expires without writing decoding code.

Review token structure

Examine the header to confirm the signing algorithm and key ID match your expected configuration.

Frequently asked questions

Short answers to the questions people usually have before using the tool.

Does this tool verify the JWT signature?+

No. It decodes the header and payload, which are Base64url-encoded and not encrypted. Signature verification requires the signing secret or public key.

Is it safe to paste JWTs from production?+

The decoding happens entirely in your browser and no data is sent to a server. However, treat production tokens as sensitive and avoid sharing the decoded output.

What are the exp, iat, and nbf claims?+

exp is the expiration time, iat is the issued-at time, and nbf is the not-before time. All are Unix timestamps that control when the token is valid.

Related tools

Keep moving through related utility tasks without leaving the toolbox.

Password GeneratorIdentity & Security

Create secure random passwords with custom length and character groups.

Hash GeneratorIdentity & Security

Generate SHA-256, SHA-512, SHA-1 hashes using the Web Crypto API.

UUID GeneratorIdentity & Security

Generate random UUIDs (v4) with one click. Bulk generation supported.

Case ConverterText & Content

Convert text into uppercase, lowercase, camelCase, snake_case, and more.