A JWT (JSON Web Token) is a compact, URL-safe token format consisting of three Base64URL-encoded parts: header, payload, and signature. It is widely used for authentication (OAuth2, OIDC) and information exchange between services.

Does this tool verify the JWT signature?

No. This tool only decodes the header and payload. Signature verification requires the secret key or public key, which is not supported here. Use your application's JWT library for signature verification.

What claims can I inspect?

You can inspect all standard claims (iss, sub, aud, exp, nbf, iat, jti) and any custom claims in the payload. The tool also shows whether the token is expired based on the exp claim.

Is my JWT sent to any server?

No. Decoding is done entirely in your browser. The JWT is never transmitted to any server and exists only in browser memory.

Why does my JWT show as expired?

The exp claim contains a Unix timestamp for the expiration time. If the current time is past that timestamp, the token is considered expired. This is checked locally in your browser.

Ctrl+K

JWT Decoder & Parser

Decode JSON Web Tokens and view their contents. Header and Payload are displayed instantly. All processing, including signature verification, is done entirely in the browser for security.

JWT Token

How to use

About this tool

Decodes JWT header, payload, and signature from Base64 and displays claims. Does not verify signatures.

How to use

Paste a JWT string or load from file. It is decoded automatically; header, payload, claim classification, and validation are shown.

Options

Input: Paste in the text field or load from file (.txt, .jwt, etc.). After input, decode runs automatically; header, payload, signature, claim classification, and exp validation are shown.

Use cases

• Inspecting OAuth2/OIDC id_token • Debugging claims • Checking exp • Viewing custom claims

Code Examples

JavaScript

Read Only

1// Decode header and payload from Base64URL
2const [headerB64, payloadB64] = jwt.split('.');
3const payload = JSON.parse(
4  atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/'))
5);

Python

Read Only

1import jwt  # PyJWT
2
3decoded = jwt.decode(
4  token,
5  options={"verify_signature": False}
6)

PHP

Read Only

1use Firebase\JWT\JWT;
2
3$decoded = JWT::decode($token, $keys, ['RS256']);
4// Without verify: decode Base64URL manually

How it works

JWT is split into xxx.yyy.zzz; each part is Base64URL-decoded and shown as JSON. Signature verification is not performed (requires the secret key).

Privacy and data

Decoding is done entirely in the browser; the JWT is never sent to a server. Tokens are only handled in memory and are not stored.

FAQ

Q: What is a JWT?: A: A JWT (JSON Web Token) is a compact, URL-safe token format consisting of three Base64URL-encoded parts: header, payload, and signature. It is widely used for authentication (OAuth2, OIDC) and information exchange between services.
Q: Does this tool verify the JWT signature?: A: No. This tool only decodes the header and payload. Signature verification requires the secret key or public key, which is not supported here. Use your application's JWT library for signature verification.
Q: What claims can I inspect?: A: You can inspect all standard claims (iss, sub, aud, exp, nbf, iat, jti) and any custom claims in the payload. The tool also shows whether the token is expired based on the exp claim.
Q: Is my JWT sent to any server?: A: No. Decoding is done entirely in your browser. The JWT is never transmitted to any server and exists only in browser memory.
Q: Why does my JWT show as expired?: A: The exp claim contains a Unix timestamp for the expiration time. If the current time is past that timestamp, the token is considered expired. This is checked locally in your browser.