DevToolbox

JWT Decoder

Paste a JSON Web Token to decode its header, payload, and signature. Verify HMAC signatures and see expiration countdowns.

About This Tool

The JWT Decoder lets you inspect the contents of any JSON Web Token without sending it to a server. JWTs are compact, URL-safe tokens used for authentication and information exchange in modern web applications. They consist of three Base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims), and a signature.

This tool decodes the header and payload into readable JSON and displays each part with color coding — blue for the header, violet for the payload, and amber for the signature. Standard claims like iss, sub, aud, exp, iat, and jti include tooltip explanations. Timestamp claims are automatically converted to human-readable dates, and the exp claim shows a live countdown so you can see exactly when the token expires.

For HMAC-signed tokens (HS256, HS384, HS512), you can verify the signature by entering the secret key. RSA and ECDSA verification requires a public key and is not supported in this tool. All decoding and verification happens entirely in your browser using the Web Crypto API — your tokens and secrets never leave your machine.

How to Use

  1. Paste a JWT into the input area.
  2. The header and payload are decoded instantly. View the color-coded token structure at the top.
  3. Hover over claim names (e.g. exp, sub) for explanations. Timestamp claims show human-readable dates.
  4. If the token has an exp claim, a live countdown shows whether it has expired.
  5. To verify an HMAC signature, enter the secret key and click Verify.
  6. Click Copy or press Ctrl+Shift+C to copy the decoded header and payload as JSON.

FAQ

Is it safe to paste my JWT here?

Yes. The entire decoding process runs in your browser using JavaScript's atob() and the Web Crypto API. No data is sent to any server, and nothing is logged or stored.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It is commonly used for authentication — after a user logs in, the server issues a JWT that the client sends with subsequent requests.

Can I verify RSA or ECDSA signatures?

This tool only supports HMAC signature verification (HS256, HS384, HS512). RSA and ECDSA verification requires importing a public key, which is not currently supported.

What do the claim abbreviations mean?

Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). Hover over any claim name in the decoded payload to see its explanation.

Does decoding a JWT reveal the secret key?

No. The header and payload are only Base64url-encoded, not encrypted — anyone can decode them. The signature proves the token hasn't been tampered with, but the secret key itself is not included in the token.

Related Tools

Base64 Encode/Decode

Encode and decode Base64 strings and files with drag-and-drop support.

JSON Formatter

Format, validate, and beautify JSON with syntax highlighting and tree view.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

UUID Generator

Generate, validate, and inspect UUIDs in v4 and v7 formats.