🎫

JWT Decoder & Inspector

Paste a JSON Web Token to decode its header and payload, check expiry and read every claim in plain English — fully client-side, nothing is sent anywhere.

Token Input

About the JWT Decoder

JSON Web Tokens are the standard way modern APIs and single sign-on systems carry identity between services. A JWT is three Base64URL-encoded segments separated by dots: a header naming the signing algorithm, a payload of claims (who the token is for, who issued it, when it expires), and a signature. Because the first two parts are only encoded — not encrypted — anyone holding a token can read them, and this tool does exactly that, entirely in your browser.

It is useful when debugging 401 errors (is the token expired? does the audience match?), inspecting what an identity provider actually put in a token, or checking clock-skew issues between iat and exp. Registered timestamp claims are converted to your local time and the tool tells you at a glance whether the token is expired, not yet valid, or current. Remember: never paste production tokens into random websites — this page is safe precisely because the decoding is client-side JavaScript with no network calls, which you can confirm in your browser’s dev tools.

Registered Claims Cheat Sheet

  • 🏷️
    iss / sub / aud. Issuer, subject (the user) and intended audience. A common 401 cause is an audience mismatch between the token and the API.
  • exp / nbf / iat. Expiry, not-before and issued-at, all as Unix timestamps. Clock skew between servers causes “token used before issued” errors.
  • 🆔
    jti. Unique token ID, used for revocation lists.
  • 🔏
    alg (header). Signing algorithm. Treat alg: none as an attack indicator.

Frequently Asked Questions

Is it safe to paste a token here?
The page performs no network requests when decoding — everything happens in local JavaScript, and the site works offline once cached. That said, the safe habit for production tokens is to decode only on machines and tools you trust.
Why does my token fail to decode?
Check that you copied all three dot-separated segments with no line breaks, and that it is actually a JWT — opaque OAuth access tokens from some providers are random strings, not JWTs, and cannot be decoded.
Can this tool tell me if a token is genuine?
No. Anyone can craft a JWT with any claims. Only cryptographic signature verification against the issuer’s public key — done by your API server — proves authenticity.