JWT Decoder
Decode JWT tokens to see the header, payload and expiry status. Colour-coded sections with formatted JSON output. Paste any JWT to inspect its contents.
Paste a JWT token above to decode it.
What Each of the Three Parts Contains
A JSON Web Token is three base64url-encoded JSON blobs joined by dots: header.payload.signature. Paste a token at 11pm while debugging an API auth failure and the tool splits it on the dots, base64-decodes each segment, and parses the JSON. The header tells you the signing algorithm (alg, usually HS256, RS256, or ES256) and key id (kid). The payload contains your claims. The signature is the cryptographic seal, displayed truncated because you can't validate it without the secret or public key.
The decoder also reads the standard registered claims and surfaces them at the top: iss (issuer), sub (subject, typically the user id), aud (audience), iat (issued-at, Unix seconds), exp (expiration, Unix seconds), and nbf (not-before). If exp is set, the tool computes whether the token is currently expired and how long until expiry or how long since. This catches the most common JWT bug: the API rejects a token that 'looks fine' because it expired a few minutes ago and you forgot to refresh.
Decoding Is Not Validating
Anyone can decode a JWT. The base64-encoded segments are not encrypted, just encoded, so the contents are visible to any party that holds the token. This is by design: JWTs are meant to be readable by both client and server. What stops them being forged is the signature, which requires either the shared secret (HS256) or the issuer's private key (RS256, ES256) to produce.
Treat the payload as untrusted until your backend has verified the signature, the exp claim, and the iss/aud claims against expected values. Never put secrets, passwords, or sensitive PII inside a JWT payload; assume any token your client receives can be inspected by an attacker who steals it. If you need to encrypt the payload (not just sign it), use JWE, which is the encrypted variant defined alongside JWT in RFC 7519.
Standard JWT Claims
| Claim | Meaning | Common Value |
|---|---|---|
| iss | Issuer | https://auth.example.com |
| sub | Subject (user id) | user_abc123 |
| aud | Audience | https://api.example.com |
| iat | Issued at (Unix seconds) | 1735689600 |
| exp | Expiry (Unix seconds) | 1735693200 |
| nbf | Not before (Unix seconds) | 1735689600 |
| jti | Token id (for revocation) | uuid-v4 |
Frequently Asked Questions
Why is my token rejected even though the decoder shows valid JSON?
Six likely causes: the token has expired (check exp); the clock skew between your server and the issuer is too large (allow 30-60s slack); the signature is wrong (you decoded it with one key but it was signed with another); the audience doesn't match what your verifier expects; the issuer URL has a trailing slash mismatch; or the algorithm in the header doesn't match what your verifier accepts (alg: 'none' should always be rejected).
What is the difference between HS256, RS256, and ES256?
HS256 is HMAC with SHA-256, a symmetric algorithm where the signer and verifier share the same secret. Simple, fast, but useless across organisational boundaries because anyone who can verify a token can forge one. RS256 is RSA with SHA-256, asymmetric: the issuer signs with a private key and consumers verify with a public key, which is what OAuth 2.0 (RFC 6749) and OpenID Connect deployments use. ES256 is ECDSA with the P-256 curve, smaller signatures and faster verification than RSA, increasingly the default.
Can I decode an expired token?
Yes. Expiry is enforced by the verifier, not the decoder. The tool will happily decode any structurally valid JWT regardless of exp. It will, however, flag the token as expired and show how long ago it expired so you can confirm that's the cause of the auth failure you're debugging.
Where should I store JWTs in a browser?
Memory (a JS variable) is safest from XSS but lost on reload. localStorage and sessionStorage are convenient but readable by any script on the page if XSS is breached. httpOnly Secure cookies survive reload and are immune to JS-level XSS but require CSRF protection and a same-site cookie strategy. The current consensus for SPAs is short-lived access tokens in memory plus a long-lived refresh token in an httpOnly cookie.
Related Tools
JSON Formatter & Validator
Format, minify and validate JSON with syntax highlighting. Shows error locations, key count, nesting depth and size stats
Base64 Encoder / Decoder
Encode text to Base64 or decode Base64 back to text. Supports UTF-8 with auto-convert mode and copy buttons
URL Encoder / Decoder
Encode and decode URLs and query parameters. Supports encodeURIComponent for params and encodeURI for full URLs