JWT Decoder

What it does

The JWT Decoder parses JSON Web Tokens locally to reveal the header and payload as formatted JSON. Inspect claims like expiration, issuer, and subject during API development without leaving your browser. The signature is displayed for reference but is not cryptographically verified — decoding runs entirely on your device.

When to use it

• Debugging OAuth access tokens and ID tokens during integration
• Inspecting claim values like exp, iss, and sub while building auth flows
• Learning JWT structure when onboarding to a new authentication provider
• Verifying token format before sending to a backend validation endpoint
• Quickly checking whether a token has expired without writing a script

How to use it

1. Paste a JWT string into the input field — the three dot-separated segments are parsed automatically.
2. Review the decoded header panel for algorithm and token type metadata.
3. Read the payload panel for claims; timestamps like exp and iat are shown in human-readable form when possible.
4. Check the signature segment — it is displayed but not verified against a secret or public key.
5. Copy individual sections or the formatted JSON for documentation or bug reports.

Tips

• Never paste production tokens into public screenshots or share URLs — treat decoded output as sensitive.
• Compare the exp claim against current time to confirm whether refresh is needed.
• If decoding fails, check for extra whitespace or missing segments — valid JWTs have exactly two dots.
• Use this for inspection only; always validate signatures server-side before trusting claims.

FAQ