Loading tool...
How to Decode JWT Tokens
- 1
Paste your JWT token
Copy a JWT from an Authorization header, cookie, local storage, or API response and paste it into the input field.
- 2
Inspect the decoded sections
The token is split into its three parts: header (algorithm and type), payload (claims and custom data), and signature. Each section is displayed in structured panels with claims clearly organized.
- 3
Review the security analysis
The tool flags potential security concerns such as the "none" algorithm, missing expiration claims, excessively long lifetimes, and tokens that have already expired based on the current time.
- 4
Copy individual sections
Copy the decoded header, payload, or full token JSON independently. Timestamp claims like iat, exp, and nbf are automatically converted to human-readable dates alongside the raw values.
Key Features
Instant Token Decoding
Paste a JWT and instantly see the decoded header and payload as structured, clearly formatted panels with all claims labeled and color-coded.
Security Analysis
Automatically detects common JWT security issues including the "none" algorithm attack, missing exp claims, expired tokens, and weak algorithm choices.
Timestamp Conversion
Claims containing Unix timestamps (iat, exp, nbf) are automatically converted to human-readable dates with timezone information and relative time labels.
Batch Processing
Decode multiple JWT tokens at once to compare claims, check expiration times across sessions, or audit tokens from different environments.
Completely Offline
Decoding happens entirely in your browser. The token is never sent to any server, making it safe to inspect production tokens with sensitive user data.
When to Use a JWT Decoder
JSON Web Tokens are the backbone of modern authentication and authorization in web applications, mobile apps, and microservice architectures. During development, you constantly need to peek inside tokens to verify that the correct claims are present, check scopes and roles, confirm expiration times, and diagnose "401 Unauthorized" errors. This tool decodes any JWT instantly without requiring a secret key.
Security auditing is another critical use case. When reviewing an authentication system, you need to verify that tokens use strong algorithms (RS256 or ES256 rather than HS256 with a weak secret), have reasonable expiration windows, and include the expected audience and issuer claims. The built-in security analysis surfaces these concerns automatically, acting as a quick sanity check for your token configuration.
Note that this tool decodes tokens—it does not verify signatures. Signature verification requires the secret or public key, which should never be pasted into a web tool. For debugging purposes, decoding is sufficient to inspect claims and diagnose most authentication issues without exposing signing keys.
Frequently Asked Questions
Does this tool verify JWT signatures?
No. This tool decodes and displays the header and payload of a JWT without verifying the signature. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA), which should never be entered into an online tool. Use server-side verification in your application code instead.
Is it safe to paste production JWT tokens here?
Yes. All decoding happens entirely in your browser using JavaScript. The token is never transmitted to any server. However, be mindful of shoulder surfing and screen sharing—decoded tokens may reveal user IDs, email addresses, roles, and other claim data.
What security issues does the analyzer detect?
The analyzer checks for the "none" algorithm vulnerability, missing or already-expired exp claims, tokens with excessively long lifetimes (over 24 hours for access tokens), use of the weaker HS256 algorithm, and missing standard claims like iss (issuer) and aud (audience).
Can I decode tokens from different providers (Auth0, Firebase, AWS Cognito)?
Yes. A JWT is a standardized format regardless of the issuing provider. Tokens from Auth0, Firebase, AWS Cognito, Okta, Keycloak, and any other OIDC-compliant provider will decode correctly. Provider-specific claims will appear in the payload alongside standard claims.
What do the iat, exp, and nbf claims mean?
These are standard time-based claims encoded as Unix timestamps. "iat" (issued at) records when the token was created, "exp" (expiration time) defines when it becomes invalid, and "nbf" (not before) specifies the earliest time the token should be accepted. This tool converts all three to human-readable dates automatically.
Related Tools
Unix Timestamp Converter
Convert the Unix timestamps found in JWT claims (iat, exp, nbf) to human-readable dates.
JSON Formatter & Validator
Format the decoded JWT payload as clean, indented JSON for easier reading and sharing.
Base64 Encoder/Decoder
JWTs use Base64URL encoding. Decode individual token segments or encode custom payloads for testing.
Password Generator
Generate strong secrets for HMAC-based JWT signing when configuring authentication systems.