esc

JWT Decoder

Decode JSON Web Tokens online, inspect header and payload claims, check expiry and verify supported HMAC signatures locally.

Encoded
Header Payload Signature
Decoded
Valid JWT parts
Claims
Signature

Decoding never checks the signature — anyone can read an unverified token. For HMAC tokens (HS256 / HS384 / HS512) you can verify it below; your secret is used only in the browser and is never sent anywhere. RSA / ECDSA tokens need the issuer's public key and aren't verifiable here.

Guide

Anatomy of a JSON Web Token

A JWT is three Base64URL-encoded segments joined by dots: header.payload.signature. The header names the signing algorithm (alg) and token type (typ); the payload carries the claims — standard ones like iss, sub, exp plus any custom fields; the signature is computed over the first two segments so the token can't be tampered with undetected.

A JWT decoder is useful for reading authentication claims, debugging expiry, checking issuer and audience values, and confirming which algorithm a token declares. Decoding is not the same as verifying. The header and payload are merely encoded, not encrypted — anyone can read them, which is why you should never put secrets in a JWT. Only checking the signature against the issuer's key proves the token is authentic and unaltered. This tool decodes everything client-side and can verify HMAC signatures locally; the token never leaves your machine.

FAQ

Frequently asked questions

Is my token sent to a server?

No. Splitting, Base64URL decoding, claim inspection and supported HMAC signature checks run in your browser. Nothing is uploaded, but avoid pasting sensitive production tokens on shared or untrusted devices.

Does decoding verify the signature?

No. Decoding only reads the header and payload. A JWT can be readable yet forged. Use the Signature panel to verify HMAC tokens against the shared secret; RSA and ECDSA tokens require the issuer public key and are not verified here.

Why does it say my token is expired?

The exp claim is a Unix timestamp in seconds. If it is in the past, the token is expired. The nbf claim means not before; if it is in the future, the token is not valid yet. The check uses your device clock.

Should I put sensitive data in a JWT?

No. The header and payload are Base64URL-encoded, not encrypted. Anyone holding the token can read those claims, so keep passwords, API keys and private personal data out of JWT payloads.