Encoding
JWT Decoder
JWT Decoder splits a pasted JWT (JSON Web Token) into its three segments — header, payload, and signature — and displays each as readable JSON. Paste a string of the form header.payload.signature (dot-separated) and the decoded result updates in real time.
Both the JWT and the secret are processed entirely in your browser and are never sent to a server.
Related Tools
Base64 Encode / Decode
Convert text to Base64 or decode Base64 back to text. Supports URL-safe Base64 and 76-char MIME line wrapping, and updates in real time. Runs entirely in your browser.
URL Encode / Decode
URL Encode / Decode converts text to percent-encoded URL format and back. Supports query-parameter and full-URL scopes, with optional form-encoding for spaces. Results update in real time. Runs entirely in your browser.
About JWT Decoder
JWT Decoder splits a pasted JWT (JSON Web Token) into its three segments — header, payload, and signature — and displays each as readable JSON. Paste a string of the form header.payload.signature (dot-separated) and the decoded result updates in real time.
Standard time claims (iat issued-at / exp expires-at / nbf not-before) are converted from raw UNIX timestamps into your locale's date format, with a relative description ("in 3 days", "2 hours ago") shown alongside. When exp is in the past an "Expired" badge is shown; when nbf is in the future a "Not yet valid" badge appears — so you can tell at a glance whether the token you are debugging is still good.
Optionally, supply a secret to verify HMAC signatures (HS256 / HS384 / HS512) right in the browser. This is handy for checking that a backend-issued token was signed with the expected key. Public-key algorithms such as RS256 / ES256 / EdDSA are not supported for verification, but the header and payload can be decoded for any algorithm.
Both the JWT and the secret are processed entirely inside your browser and are never sent to a server. That makes the tool safe for real access tokens and real secrets — but on a shared machine, clearing the secret field after verification is recommended. Runs entirely in your browser.
How to use
- Paste the JWT you want to inspect (the dot-separated `header.payload.signature` string) into the input area. Whitespace and line breaks are stripped automatically.
- The decoded result appears in three panels: header, payload, and signature. Each panel has a "Copy" button to copy its content to the clipboard.
- If standard claims (iss / sub / aud / jti / iat / exp / nbf) are present, the table below shows each as a human-readable value with a relative time.
- To verify the signature, toggle "Verify the signature with a secret" and enter the HMAC secret (HS256 / HS384 / HS512). A badge shows whether the signature matches.
- Hit "Clear" to wipe the input area and paste a different token.
Use cases
- Quickly inspecting an access token (iss / sub / aud / custom claims) while debugging an API call.
- Checking whether a received JWT has expired and when it was issued.
- Reading sample tokens from an auth provider's documentation to learn what claims they include.
- Verifying locally that a backend-issued HS256 token was signed with the expected secret.
- Looking at the contents of OIDC / OAuth2 ID tokens or access tokens (aud / azp / scope, etc.) without any setup.
Notes
- Neither the JWT nor the secret leaves the browser — everything is processed locally.
- Signature verification supports HS256 / HS384 / HS512 only. RS256 / ES256 / EdDSA and other public-key algorithms are not verified here, but header / payload decoding works for any algorithm.
- Standard time claims (iat / exp / nbf) are interpreted as seconds since the UNIX epoch, per RFC 7519.
- Expired / not-yet-valid checks compare against your device's clock. If the clock is off, the badges will be off too.
- Encrypted JWTs (JWE) are not supported — the tool handles only signed JWTs (JWS, the `header.payload.signature` form).
- On decode, all whitespace (spaces, tabs, newlines) is removed from the input, so multi-line tokens can be pasted as-is.