Paste any JSON Web Token to instantly decode the header, payload, and check expiration. Everything runs in your browser — your tokens never leave your machine.
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe means of representing claims between two parties. JWTs are the backbone of modern authentication — used by OAuth 2.0, OpenID Connect, and virtually every API that needs to verify a user's identity.
A JWT consists of three Base64URL-encoded parts separated by dots:
alg) and token type (typ)sub), issued time (iat), and expiration (exp)1. Paste your JWT into the input area.
2. Click "Decode Token" to split and decode all three parts.
3. View the Header, Payload, and Signature sections below.
4. If the token contains iat or exp claims, the tool shows whether the token is still valid.
sub — Subject (usually a user ID)iss — Issuer (who created the token)aud — Audience (who the token is intended for)exp — Expiration time (Unix timestamp)iat — Issued at (Unix timestamp)nbf — Not before (token is invalid before this time)jti — JWT ID (unique identifier for the token)Yes. This tool runs entirely in your browser using JavaScript. No data is transmitted to any server. You can verify by disconnecting your internet — the tool still works perfectly.
This tool decodes and displays JWTs. Full signature verification requires the secret key or public certificate, which should never be shared in a client-side tool. For production verification, use server-side libraries like jsonwebtoken (Node.js), firebase/php-jwt (PHP), or PyJWT (Python).
Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256), and EdDSA. The algorithm is specified in the JWT header's alg field.