JWT Decoder

JWT (JSON Web Token) decoding is something I do almost daily when debugging authentication issues, inspecting API tokens, or troubleshooting SSO integrations. When a user reports 'access denied' errors, the first thing I do is decode their JWT to check expiration time, roles, and claims. This tool decodes JWTs instantly without sending tokens to any server—critical when handling production access tokens or customer credentials. It splits the token into three parts (header, payload, signature), Base64-decodes the first two, and displays the JSON content in readable format. The signature is shown but not verified—this is an inspection tool, not a validator. Perfect for developers integrating OAuth2, debugging Auth0/Cognito tokens, or understanding how JWT-based authentication works. ### JWT Structure JWT contains 3 parts separated by dots (.): - **Header** - Contains token type and signing algorithm (e.g., HS256, RS256) - **Payload (claims)** - Contains the actual data and claims - **Signature** - Verifies the token hasn't been tampered with The decoder helps developers quickly view payload contents for debugging purposes such as viewing roles/permissions, checking token expiration, verifying issuer information, checking API scope, and validating token structure during auth implementation. ### Use Cases **1. Debug Tokens from Authentication Providers** - Firebase Auth - Auth0 - AWS Cognito - Supabase - Keycloak **2. Frontend Development** Check: - Does the claim role=admin exist? - Is token expired when users complain? - Is the token structure correct? **3. Backend Development** Validate payload before writing verification in the backend. **4. QA / Testing** Check API tokens during API testing. **5. Security Review (Quick Inspection)** Check signature algorithm (alg) for security: - HS256, RS256, ES256 → ✓ Secure - NONE → ⚠️ Insecure **6. Debugging OAuth 2.0 / OpenID Connect** View: - `iss` - Issuer - `aud` - Audience - `exp` - Expiration - `nonce` - Replay attack prevention - `azp` - Authorized party

How to Use

Paste a JWT token (format: xxxxx.yyyyy.zzzzz) into the input field. The tool automatically splits it into header, payload, and signature sections. Header shows algorithm (HS256, RS256, etc.) and token type. Payload displays claims like user ID (sub), expiration (exp), issued at (iat), issuer (iss), and custom claims your app adds. Expiration times are Unix timestamps—the tool can convert these to readable dates. Use this when APIs return 401 errors to check if tokens expired, when debugging authorization to verify role/permission claims are present, or when learning JWT structure. ### How to Use 1. Copy your JWT token 2. Paste it in the input field 3. The tool automatically separates header, payload, and signature 4. View the decoded result: JSON + claim breakdown 5. Use copy/export buttons if needed

Common Use Cases

Limitations & Important Notes

⚠️ **Important**: This tool only decodes tokens, it does NOT verify signatures! This tool ONLY decodes JWTs—it does NOT verify signatures or validate tokens. A decoded token showing valid claims doesn't mean the token is authentic; attackers can craft tokens with false claims. Always verify signatures server-side using your secret key or public key (for RS256). The tool works with standard JWT formats (header.payload.signature in Base64URL encoding). It doesn't handle encrypted JWTs (JWE) or nested tokens. If your token includes binary data or non-standard encoding, decoding may fail. For automated token validation in code, use proper JWT libraries like jsonwebtoken (Node.js), PyJWT (Python), or jose4j (Java). Security note: Don't paste sensitive production tokens into online tools you don't trust—this tool runs client-side, but always verify in DevTools Network tab that nothing is uploaded.