Free, browser-based utilities for everyday developer workflows
JWT Decoder
Decode JSON Web Tokens (JWTs) in your browser. This tool decodes the
header and payload using Base64URL and formats them as JSON. It can
verify HMAC signatures (HS256/384/512) when you provide the shared secret. Do not paste secrets or tokens you do not control.
Decode JWT header and payload instantly.
Inspect claims like exp, iat, aud, iss.
Verify HMAC signatures (HS256/384/512) with a secret.
Share results: Generate a secure link to share your current input and results with teammates — nothing is uploaded to any server.
Token input
Paste a full JWT below in the format header.payload.signature. Only the first two parts are decoded; the
signature is shown as-is.
Looks like Base64. Open Base64 Decoder?
Header
Payload (claims)
Signature (Base64URL)
Not verified
Algorithm: -
Signature verification in this page is limited to HS256, HS384, and HS512 when you provide the shared secret. For RS256, ES256, and other asymmetric algorithms, use the JWT & OAuth Security Toolkit.
Scan payload for secret-like values before sharing.
PII Detector & Redactor
Redact personal data before sharing the payload.
HTTP Headers Parser
Re-inspect the Authorization header safely.
URL Parser & Query Builder
Strip access_token / id_token from URLs.
cURL Converter
Inspect or rebuild the request that carried the token.
Base64 Encoder / Decoder
Debug individual Base64URL segments.
How to use JWT Decoder
Decode JWT headers and claims locally to inspect exp, aud, iss, scopes, roles, and token structure before debugging API authentication or OAuth flows. The decoder also extracts JWTs from Authorization: Bearer headers, cURL commands, URL query parameters (access_token / id_token), JSON payloads, cookies, and log snippets — runs entirely in your browser.
What it does
Decode JWT header and payload, view the signature segment, and detect malformed or JWE-like tokens.
Verify HS256 / HS384 / HS512 signatures with a local HMAC secret (the secret never leaves your browser and is never included in share links).
Show a human-readable timeline for iat / nbf / exp in UTC, local time, and relative status.
Validate against expected claims: issuer, audience, subject, allowed algorithms, max lifetime, clock skew.
Run a security review for alg=none, missing exp, long lifetime, unsafe header references (kid / jku / jwk / x5u / x5c / crit).
Scan payload for sensitive data (tokens, passwords, client_secret, emails, embedded JWTs).
Inspect scopes / roles / permissions and detect OAuth access-token vs OIDC ID-token profiles.
Compare two tokens (old vs refreshed, dev vs prod, user vs admin) with header / payload / claim / scope diffs.
Export sanitized Markdown / JSON / CSV reports.
When to use it
A login is failing and you need to inspect the token your API is receiving.
You want to check whether a JWT has expired by reading the exp claim.
You need to verify the aud, iss, or role claims are correct before debugging further.
You received a token from an identity provider and need to confirm which app, user, or tenant it represents.
You need to compare a token from before and after a refresh, or compare a user token against an admin token.
How to use it
Paste the full JWT, an Authorization: Bearer header, a cURL command, a URL with access_token, or a JSON object — the decoder extracts the JWT automatically.
The tool immediately splits and Base64URL-decodes the header and payload.
Check the exp, iat, aud, and iss fields in the registered-claims table and Timeline.
Optionally set expected issuer / audience / allowed algorithms / max lifetime and run validation.
For HS256/384/512, paste the shared HMAC secret to verify the signature locally.
For RS256 / ES256 / PS / EdDSA, hand off to the JWT & OAuth Security Toolkit.
Tips & pitfalls
Decoding is not verification. Anyone can decode a JWT — signature verification confirms it was issued by a trusted party.
Signed is not encrypted. JWT header and payload are readable by anyone holding the token. Do not store secrets in JWT payloads.
The exp and iat values are Unix timestamps in seconds, not milliseconds.
If a token has three parts but the header or payload decodes to garbage, the token may be malformed or use a non-standard encoding.
Five-part tokens are likely JWE (encrypted) and cannot be decoded here without the decryption key.
Never trust the alg header by itself. The server should enforce the expected algorithm.
Tokens in URL query strings can leak via logs and browser history. Strip them before sharing.
This tool does not perform network requests, fetch JWKS URLs, or contact identity providers.
FAQ
Does decoding a JWT verify it? No. Decoding only reads the header and payload. Verification requires a trusted secret or public key.
Is a JWT encrypted? Standard JWS tokens are not — they are signed but not encrypted. Only JWE tokens are encrypted, and this tool does not decrypt them.
Can anyone read a JWT payload? Yes, anyone holding the token can. Treat the payload as public.
What does exp mean? Expiration time as a Unix timestamp in seconds. After that instant, the token is expired.
What does iat mean? Issued-at timestamp (seconds). Useful to compute token age.
What does nbf mean? Not-before timestamp. The token must not be accepted before this time.
Why is my JWT expired? Compare exp to now in the Timeline tab. Refresh or request a new token from the identity provider.
What is alg=none? A historical algorithm that means "no signature". Servers must reject it unless explicitly required. This decoder flags it as a critical security finding.
Can this verify RS256 tokens? No — use the JWT & OAuth Security Toolkit for asymmetric verification. We provide a one-click handoff.
Why should I not paste production secrets? Although verification runs locally, you should still avoid copying production HMAC secrets into anything you do not need to. We never include the secret in share links or analytics.
What is the difference between access token and ID token? An access token authorizes API calls (often opaque or JWT). An ID token (always JWT in OIDC) carries user identity claims. The OAuth/OIDC panel tries to detect which profile your token matches.
Why should JWT payload not contain secrets? Because anyone holding the token can read the payload. Use opaque session IDs instead, or encrypt the payload (JWE).
Runs locally in your browser. No uploads. No analytics on pasted JWTs or HMAC secrets.
