🔍 /

JWT Token Decoder

Advanced client-side JWT inspector and debugger. Decode Headers, Payloads, and Signatures instantly with HS256 verification, claim analysis, and expiration tracking.

User Rating 0.0
Total Usage 0 times
Category Internet & Technology
Waiting for Input
Encoded Token
Header Algorithm & Type
{}
Payload Data & Claims
{}
Signature Verification
Waiting...
Verify Signature (HS256)
Is this tool helpful?

Your feedback helps us improve.

About

JSON Web Tokens (JWT) are the industry standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. This tool acts as a comprehensive client-side debugger, ensuring your sensitive tokens never leave your browser.

Accuracy in token inspection is critical for modern authentication flows (OAuth 2.0, OIDC). A single misconfigured claim, such as an incorrect aud (audience) or an expired exp timestamp, can cause widespread authentication failures. This tool visualizes the three components of a JWT - Header, Payload, and Signature - parsing standard claims into human-readable formats.

Security Note: All decoding and verification happen strictly in your browser using the Web Crypto API. No data is transmitted to any server.

jwt json-web-token decoder security debugging developer-tools token-inspector

Formulas

A JWT is constructed by concatenating the Header, Payload, and Signature, separated by periods (.).

{
token = base64(Header) base64(Payload) Signature

The signature is generated using the specified algorithm in the header. For HS256:

Signature = HMACSHA256(
base64(Header) + "." + base64(Payload),
secret
)

Reference Data

ClaimFull NameDescription
issIssuerIdentifies the principal that issued the JWT.
subSubjectIdentifies the principal that is the subject of the JWT (user ID).
audAudienceIdentifies the recipients that the JWT is intended for.
expExpiration TimeIdentifies the expiration time on or after which the JWT must not be accepted.
nbfNot BeforeIdentifies the time before which the JWT must not be accepted.
iatIssued AtIdentifies the time at which the JWT was issued.
jtiJWT IDUnique identifier for the JWT.
algAlgorithmHeader claim identifying the cryptographic algorithm used for the signature.
typTypeHeader claim usually set to "JWT".
azpAuthorized PartyOIDC claim; the party authorized to use the token.
scopeScopeOAuth 2.0 scopes (permissions) granted to the client.

Frequently Asked Questions

This happens if the token content has been tampered with or if the Verify Secret you provided does not match the one used to sign the token. Even a single character difference in the Header or Payload invalidates the signature.
The "exp" (Expiration) claim is a Unix timestamp (seconds since Epoch). This tool automatically converts it to your local time zone and displays a relative countdown (e.g., 'Expires in 10 minutes').
Yes. This tool operates entirely in your browser's memory (Client-Side). No network requests are made to send your token to a backend server. However, as a best practice, avoid pasting highly sensitive production credentials in any browser window you do not control.
This usually indicates an encoding issue. The standard requires Base64Url encoding. If your token uses standard Base64 (with "+" and '/') or has unescaped special characters, the decoder might produce artifacts. Our tool attempts to auto-correct Base64Url to Base64 format.