JWT Decoder

JSON Web Tokens are everywhere in modern web authentication. If you've worked with OAuth2, OpenID Connect, or any API that uses bearer tokens, you've handled JWTs. This tool helps you instantly inspect what's inside one.

JWT structure

A JWT is three Base64URL-encoded parts joined by dots: `header.payload.signature`. The header identifies the algorithm. The payload carries claims — user identity, expiry, issued-at, and any custom data. The signature is a cryptographic proof that the token was issued by a trusted party.

What this tool shows

Paste any JWT and the tool decodes the header and payload into readable JSON. It highlights key claims: `exp` (expiry), `iat` (issued-at), `nbf` (not-before), `sub` (subject), `iss` (issuer), and `aud` (audience). Expired tokens are flagged with a red indicator — useful when debugging "401 unauthorized" errors.

What this tool does NOT do

Signature verification requires the secret key or public key used to sign the token. This tool cannot and does not verify signatures. That is intentional: you should never share your JWT signing secret with a third-party tool. For signature verification, use your own backend or a trusted SDK.

Security note

JWT payloads are encoded, not encrypted. Anyone who has your token can decode and read the payload without a key. Sensitive data (passwords, credit card numbers) must never be placed in a JWT payload unless the token is additionally encrypted (JWE).

Common debugging scenarios

- Why is my API returning 401? → Check if the exp claim is in the past. - What user is this token for? → Check the sub or email claims. - Is this token from the expected issuer? → Check the iss claim. - Why is the token rejected before expiry? → Check the nbf claim.