jwt decoder

How to use the jwt decoder

  1. Paste a JSON Web Token (a string with two periods separating three Base64URL parts) into the input.
  2. The header (algorithm, type) and payload (claims) decode instantly into pretty-printed JSON.
  3. Inspect standard claims: `iss`, `sub`, `aud`, `exp`, `iat`, `nbf`. Expiry timestamps are converted to human-readable dates.
  4. Optionally provide the signing secret or public key to verify the signature — the tool reports valid / invalid / unsupported algorithm.
  5. Decoding runs entirely in your browser. Tokens are never sent to a server.

When to use it

Use it when debugging an authentication flow — Auth0, Supabase, Firebase, custom JWT issuers. The decoded payload shows exactly which claims you're sending, which is the fastest way to spot a wrong `aud` or expired `exp`. Alternative: jwt.io is the classic option; this tool runs locally with the same UX, no analytics tracking, and works offline.

Frequently asked questions

What is a JWT?
JSON Web Token — a compact, URL-safe token with three parts (header.payload.signature) used for authentication and authorization. The header and payload are Base64URL-encoded JSON; the signature proves the issuer.
Is my JWT sent to a server when I decode it?
No. Decoding happens entirely in your browser. Even signature verification (when you provide a key) runs locally via the Web Crypto API. Safe to paste production tokens.
Why does my JWT show as expired?
Check the `exp` claim — it's a Unix timestamp. The decoder converts it to a human-readable date and flags expired tokens. JWT clients should refresh tokens before `exp`.
Can the decoder verify a JWT signature?
Yes. Paste the signing secret (HS256/HS384/HS512) or the public key (RS256/ES256) and the verifier reports whether the signature is valid. Verifying with the wrong key fails fast — useful for debugging trust issues.
What does the `alg: none` warning mean?
Some JWT libraries used to accept `alg: none` (unsigned tokens), which is a known security vulnerability. The decoder warns if a token uses `none` — never accept it in production.
How do I read the `aud` claim?
Audience — the intended recipient. Your service should reject tokens whose `aud` doesn't include its identifier. The decoder shows this claim front and center.

Related tools

  • Free Base64 Encoder / Decoder
  • Free Hash Generator
  • Free JSON Formatter
  • Free URL Encoder / Decoder

Last updated: 2026-04-27