JWT Decoder
Decode JWT header and payload sections instantly. Inspect claims, check expiry, and detect the signing algorithm — all client-side.
JWT token
Header
JWT header
What is a JWT Decoder?
A JWT (JSON Web Token) decoder reads a token and displays its header and payload in plain JSON — without needing the signing secret. JWTs are the standard format defined in RFC 7519, used by OAuth 2.0, OpenID Connect, and most modern authentication systems to pass identity and permission data between services. Decoding a token helps you inspect what claims it carries, whether it has expired, and which algorithm was used to sign it.
JWT structure (RFC 7519 §3)
| Part | Encoding | Contains |
|---|---|---|
| Header | Base64URL (RFC 4648 §5) | alg (signing algorithm), typ (token type) |
| Payload | Base64URL | Claims: sub, iss, aud, exp, iat, custom fields |
| Signature | Algorithm-specific | HMAC or RSA/ECDSA hash of header.payload + secret/private key |
Standard JWT claims (RFC 7519 §4.1)
- sub (subject) — unique identifier of the user or entity the token represents
- iss (issuer) — authority that created the token, typically a domain URL
- aud (audience) — intended recipient; servers reject tokens with a mismatched audience
- exp (expiration) — Unix timestamp after which the token must not be accepted (§4.1.4)
- iat (issued at) — Unix timestamp of token creation
- nbf (not before) — Unix timestamp before which the token must not be accepted
- jti (JWT ID) — unique identifier used to prevent replay attacks
Supported signing algorithms
The alg header field identifies the signing algorithm (defined in RFC 7518 — JSON Web Algorithms). Common values:
- HS256 / HS384 / HS512 — HMAC with SHA-256/384/512 (symmetric — same secret for signing and verification)
- RS256 / RS384 / RS512 — RSASSA-PKCS1-v1_5 (asymmetric — private key signs, public key verifies)
- ES256 / ES384 / ES512 — ECDSA (asymmetric — preferred for compact tokens)
- none — unsecured JWT — never accept in production. Accepting
alg:nonetokens is a known critical vulnerability.
Security warning
Never paste a live production JWT from a real user session into any online tool, including this one. JWTs often contain access privileges and user identity. Use test tokens generated in a development environment. This tool decodes in-memory only and stores nothing — but the habit of protecting production tokens applies universally.
Common debugging scenarios
JWT decoding is most useful when diagnosing authentication failures. Inspect the exp claim to determine if a token expired prematurely. Compare the aud or sub claims against what your endpoint expects when a 403 is returned. Use the Format in JSON Formatter button above to expand a complex payload into a multi-level structure for easier reading.
Native code equivalents
Production-ready snippets — same logic the tool runs, in your language// Decode a JWT without signature verification (development / inspection only)
// RFC 7519 §3: header.payload.signature — all Base64URL encoded (RFC 4648 §5)
function decodeJwt(token) {
const parts = token.split('.');
if (parts.length !== 3) throw new Error('Invalid JWT: expected 3 dot-separated parts');
const decodeBase64url = (s) => {
const b64 = s.replace(/-/g, '+').replace(/_/g, '/');
return JSON.parse(atob(b64.padEnd(b64.length + (4 - b64.length % 4) % 4, '=')));
};
return {
header: decodeBase64url(parts[0]),
payload: decodeBase64url(parts[1]),
};
}
const { header, payload } = decodeJwt(token);
console.log('Algorithm:', header.alg);
console.log('Subject: ', payload.sub);
console.log('Expires: ', new Date(payload.exp * 1000).toISOString());