How to use JWT Decoder
Decode JWT headers and claims locally to inspect exp, aud, iss, scopes, roles, and token structure before debugging API authentication or OAuth flows. The decoder also extracts JWTs from Authorization: Bearer headers, cURL commands, URL query parameters (access_token / id_token), JSON payloads, cookies, and log snippets — runs entirely in your browser.
What it does
- Decode JWT header and payload, view the signature segment, and detect malformed or JWE-like tokens.
- Verify HS256 / HS384 / HS512 signatures with a local HMAC secret (the secret never leaves your browser and is never included in share links).
- Show a human-readable timeline for
iat / nbf / exp in UTC, local time, and relative status.
- Validate against expected claims: issuer, audience, subject, allowed algorithms, max lifetime, clock skew.
- Run a security review for alg=none, missing exp, long lifetime, unsafe header references (kid / jku / jwk / x5u / x5c / crit).
- Scan payload for sensitive data (tokens, passwords, client_secret, emails, embedded JWTs).
- Inspect scopes / roles / permissions and detect OAuth access-token vs OIDC ID-token profiles.
- Compare two tokens (old vs refreshed, dev vs prod, user vs admin) with header / payload / claim / scope diffs.
- Export sanitized Markdown / JSON / CSV reports.
When to use it
- A login is failing and you need to inspect the token your API is receiving.
- You want to check whether a JWT has expired by reading the
exp claim.
- You need to verify the
aud, iss, or role claims are correct before debugging further.
- You received a token from an identity provider and need to confirm which app, user, or tenant it represents.
- You need to compare a token from before and after a refresh, or compare a user token against an admin token.
How to use it
- Paste the full JWT, an
Authorization: Bearer header, a cURL command, a URL with access_token, or a JSON object — the decoder extracts the JWT automatically.
- The tool immediately splits and Base64URL-decodes the header and payload.
- Check the
exp, iat, aud, and iss fields in the registered-claims table and Timeline.
- Optionally set expected issuer / audience / allowed algorithms / max lifetime and run validation.
- For HS256/384/512, paste the shared HMAC secret to verify the signature locally.
- For RS256 / ES256 / PS / EdDSA, hand off to the JWT & OAuth Security Toolkit.
Tips & pitfalls
- Decoding is not verification. Anyone can decode a JWT — signature verification confirms it was issued by a trusted party.
- Signed is not encrypted. JWT header and payload are readable by anyone holding the token. Do not store secrets in JWT payloads.
- The
exp and iat values are Unix timestamps in seconds, not milliseconds.
- If a token has three parts but the header or payload decodes to garbage, the token may be malformed or use a non-standard encoding.
- Five-part tokens are likely JWE (encrypted) and cannot be decoded here without the decryption key.
- Never trust the
alg header by itself. The server should enforce the expected algorithm.
- Tokens in URL query strings can leak via logs and browser history. Strip them before sharing.
- This tool does not perform network requests, fetch JWKS URLs, or contact identity providers.
FAQ
- Does decoding a JWT verify it? No. Decoding only reads the header and payload. This page verifies only HMAC signatures when you supply the shared secret; use the JWT & OAuth Security Toolkit for supported full-key verification.
- Is a JWT encrypted? Standard JWS tokens are not — they are signed but not encrypted. Only JWE tokens are encrypted, and this tool does not decrypt them.
- Can anyone read a JWT payload? Yes, anyone holding the token can. Treat the payload as public.
- What does
exp mean? Expiration time as a Unix timestamp in seconds. After that instant, the token is expired.
- What does
iat mean? Issued-at timestamp (seconds). Useful to compute token age.
- What does
nbf mean? Not-before timestamp. The token must not be accepted before this time.
- Why is my JWT expired? Compare
exp to now in the Timeline tab. Refresh or request a new token from the identity provider.
- What is
alg=none? A historical algorithm that means "no signature". Servers must reject it unless explicitly required. This decoder flags it as a critical security finding.
- Can this verify RS256 tokens? No — use the JWT & OAuth Security Toolkit for asymmetric verification. We provide a one-click handoff.
- Why should I not paste production secrets? Although verification runs locally, you should still avoid copying production HMAC secrets into anything you do not need to. We never include the secret in share links or analytics.
- What is the difference between access token and ID token? An access token authorizes API calls (often opaque or JWT). An ID token (always JWT in OIDC) carries user identity claims. The OAuth/OIDC panel tries to detect which profile your token matches.
- Why should JWT payload not contain secrets? Because anyone holding the token can read the payload. Use opaque session IDs instead, or encrypt the payload (JWE).
- How do I decode a JWT token online? Paste the token above and the decoder splits it on the dots and Base64URL-decodes the header and payload into readable JSON instantly, in your browser. No token is uploaded.
Runs locally in your browser. No uploads. No analytics on pasted JWTs or HMAC secrets.
Decoding a JWT from an API call? The API Debugging Studio auto-decodes the Authorization Bearer token alongside headers, body, and a secrets scan.
Related guides
