Related Tools
How to Use
- 1Paste your JWT token (the full string including the two dots) into the input field.
- 2Review the decoded Header to identify the signing algorithm (e.g., HS256, RS256) and token type.
- 3Inspect the Payload section for standard claims: sub (subject/user ID), iss (issuer), aud (audience), iat (issued at), and exp (expiration timestamp).
- 4Read the expiration status indicator — it shows whether the token is currently valid and how much time remains before it expires (or how long ago it expired).
- 5Use the copy buttons to copy the header or payload JSON for use in debugging, logging, or documentation.
- 6Paste a different token at any time to decode it without refreshing the page.
About JWT Decoder
The JWT Decoder parses JSON Web Tokens to display the header and payload as formatted JSON. It shows the signing algorithm (HS256, RS256, etc.) from the header, and all standard claims from the payload — including issued at (iat), expiration (exp), subject (sub), and issuer (iss).
The expiration status is calculated automatically: you can see at a glance whether a token is still valid, how long until it expires, or how long ago it expired. This is especially useful when debugging authentication failures caused by expired tokens in development or staging environments.
JWTs are the standard for stateless authentication in modern web applications. They appear in Authorization headers (Bearer tokens), OAuth 2.0 flows, SSO systems, and API gateways. Being able to quickly inspect a token is essential for debugging login issues, verifying claims, and understanding what data your auth system transmits.
This tool only decodes the token — it does not verify the cryptographic signature, which would require the signing secret or public key. Decoding happens entirely in your browser, so your tokens are never exposed to any external service.
Frequently Asked Questions
Does this tool verify the JWT signature?
No. This tool only decodes the Base64url-encoded header and payload. Signature verification requires the signing secret (for HS256) or the public key (for RS256/ES256), which should never be entered into a browser tool.
How do I check if my JWT is expired?
Paste the token and the tool reads the "exp" claim automatically. It shows whether the token is still valid, how long until it expires, or how long ago it expired.
What do the iat, exp, sub, and iss claims mean?
iat = issued at (Unix timestamp when the token was created), exp = expiration (Unix timestamp after which the token is invalid), sub = subject (typically the user ID), iss = issuer (the service that issued the token, e.g., your auth server URL).
Can I use this to debug tokens from Auth0, Firebase, or AWS Cognito?
Yes. Tokens from any standard JWT-issuing service (Auth0, Firebase Auth, Cognito, Keycloak, Okta, etc.) follow the same Base64url format and decode correctly. You will see all the custom claims these platforms include in the payload.
What is the difference between HS256 and RS256?
HS256 uses a shared symmetric secret to sign and verify. RS256 uses an asymmetric key pair — the private key signs the token, and the public key verifies it. RS256 is preferred for multi-service architectures because you can share the public key without exposing the signing secret.
Is my JWT token safe to paste here?
Yes. Decoding happens entirely in your browser using JavaScript. The token is never transmitted to any external server. That said, avoid pasting production tokens in public or shared environments where others can see your screen.