Anatomy of a JWT token
A JSON Web Token (RFC 7519) is three Base64URL-encoded segments separated by dots: header.payload.signature. The header declares the signing algorithm (HS256, RS256, ES256, etc.) and token type. The payload carries claims -- standardized fields like sub (subject), iat (issued-at), exp (expiration), nbf (not-before), and iss (issuer), plus any custom claims your application defines. The signature is a cryptographic MAC or digital signature over the first two segments. This tool decodes the header and payload segments client-side, parses the claims, and flags whether the token has expired -- without attempting signature verification, since that requires the secret or public key.
Decoding a token
- 1Paste a JWT string (three dot-separated segments) into the input field.
- 2The tool immediately splits on the dots, Base64URL-decodes the header and payload, and parses them as JSON.
- 3Badges show the algorithm (
alg), token type (typ), expiration status, and formatted timestamps forexpandiat. - 4The full payload JSON is displayed in the output panel for copying or further inspection.
Decoding internals
- Base64URL decoding — JWT uses the URL-safe Base64 variant (
RFC 4648section 5):-replaces+,_replaces/, and padding is omitted. The decoder handles the character substitution and re-pads before callingatob(). - Timestamp interpretation — The
exp(expiration) andiat(issued-at) claims are Unix epoch seconds. The tool converts them to locale-formatted date strings and shows whether the token has expired relative to your system clock. - Live decoding — Decoding triggers on every keystroke -- no button click needed. Paste a token and see the result instantly.
- Structured output — Header and payload are rendered in separate syntax-highlighted JSON editors, and the raw signature string is shown as a monospace block.
- No signature verification — This is a decoder, not a verifier. Signature validation requires the signing key, which is not available in a client-side tool. The signature segment is displayed but not cryptographically checked.
When to decode a JWT
- Debugging auth flows — Inspect the claims in an access token or ID token to verify the issuer, audience, scopes, and expiration before troubleshooting 401/403 errors.
- Checking token expiry — Quickly determine whether a JWT has expired without writing code to parse the exp claim manually.
- Reviewing OAuth responses — OAuth providers (Auth0, Cognito, Okta, Firebase) issue JWTs. Decode them to confirm the token contains the expected custom claims.
- API development — When building or testing JWT-authenticated APIs, decode the tokens flowing through your system to verify payload contents during development.
- Security auditing — Inspect tokens found in logs, cookies, or local storage to assess what data is exposed in the payload (remember: JWTs are signed, not encrypted).
Decoded token structure
// Raw JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
<signature>
// Decoded header:
{ "alg": "HS256", "typ": "JWT" }
// Decoded payload:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022
}JWT decoder specifics
Does this tool verify the signature?
No. Signature verification requires the signing secret (for HMAC algorithms) or the public key (for RSA/ECDSA). Since this tool runs entirely in your browser with no backend, it cannot access your keys. Use a server-side library (jsonwebtoken, jose, PyJWT) for verification.
Is it safe to paste production tokens here?
Yes, from a data-privacy standpoint -- the token never leaves your browser. However, remember that JWTs are bearer tokens: anyone with the token string can use it until it expires. Avoid sharing tokens in untrusted environments regardless of the tool.
What happens with encrypted JWTs (JWE)?
This tool handles signed JWTs (JWS). Encrypted tokens (JWE, RFC 7516) have a different structure (five segments instead of three) and cannot be decoded without the decryption key. The tool will report "Not a valid JWT" for JWE tokens.
Why does the expiration badge sometimes show "Valid" for an old token?
The expiration check compares the exp claim against your local system clock (Date.now()). If your clock is significantly off, or the token has no exp claim, the badge may be inaccurate.