About the JWT Decoder
JSON Web Tokens are the standard way modern APIs and single sign-on systems carry identity between services. A JWT is three Base64URL-encoded segments separated by dots: a header naming the signing algorithm, a payload of claims (who the token is for, who issued it, when it expires), and a signature. Because the first two parts are only encoded — not encrypted — anyone holding a token can read them, and this tool does exactly that, entirely in your browser.
It is useful when debugging 401 errors (is the token expired? does the audience match?), inspecting what an identity provider actually put in a token, or checking clock-skew issues between iat and exp. Registered timestamp claims are converted to your local time and the tool tells you at a glance whether the token is expired, not yet valid, or current. Remember: never paste production tokens into random websites — this page is safe precisely because the decoding is client-side JavaScript with no network calls, which you can confirm in your browser’s dev tools.
Registered Claims Cheat Sheet
- iss / sub / aud. Issuer, subject (the user) and intended audience. A common 401 cause is an audience mismatch between the token and the API.
- exp / nbf / iat. Expiry, not-before and issued-at, all as Unix timestamps. Clock skew between servers causes “token used before issued” errors.
- jti. Unique token ID, used for revocation lists.
- alg (header). Signing algorithm. Treat
alg: noneas an attack indicator.