JWT Token Decoder & Parser
Paste code in both editors to see differences
Hint: Paste original code on left, modified code on right, then click Compare to see differences highlighted.
Hint: Paste your code, customize font size and line numbers, then click Export PDF to download formatted code.
Hint: Paste your JWT token to decode and view its header, payload, and signature. The tool validates token structure and format.
Hint: Select conversion type, paste your data, and get instant conversion. Supports JSON, YAML, XML, Excel, PDF, and more.
How It Works
- Step 1: Paste JWT token (JSON Web Token) in three-part format with header.payload.signature separated by dots, typically from Authorization headers or API responses.
- Step 2: The decoder splits token by dots, then base64url-decodes header and payload sections revealing JSON data without verifying signature (decode-only, not validate).
- Step 3: Parses decoded JSON extracting header fields (alg, typ), payload claims (sub, exp, iat, iss, aud), and displays signature for verification reference.
- Step 4: Shows decoded data with expiration status (expired/valid), timestamp conversion (exp, iat to human dates), and claim explanations for debugging authentication issues.
Manual vs Automated JWT Decoding
| Feature | Manual Decoding | AI-Powered Decoder |
|---|---|---|
| Decoding Speed | Manually base64url decode each section | Instant three-part token decoding |
| Expiration Check | Calculate Unix timestamp manually | Auto-shows expired/valid status |
| Timestamp Conversion | Convert exp/iat manually to dates | Human-readable date/time display |
| Claim Explanation | Look up JWT spec for each claim | Built-in explanations for sub, iss, aud, etc. |
| JSON Formatting | Raw JSON without formatting | Pretty-printed JSON with syntax highlighting |
| Security | Upload to third-party services | 100% client-side, no token transmission |
JWT Decoding Examples
Example: JWT Token Decoding
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MzUwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cHEADER (Algorithm & Token Type):
{
"alg": "HS256",
"typ": "JWT"
}
Decoded Header Explanation:
alg: HS256 (HMAC SHA-256)
- Symmetric signing algorithm
- Requires secret key for verification
- Alternative: RS256 (RSA asymmetric)
typ: JWT
- Token type identifier
- Standard value for JSON Web Tokens
---
PAYLOAD (Claims):
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1735000000
}
Decoded Payload Explanation:
sub: "1234567890" (Subject)
- User identifier
- Typically user ID or username
name: "John Doe" (Custom Claim)
- User's full name
- Application-specific data
iat: 1516239022 (Issued At)
- Token creation time
- Unix timestamp: Jan 18, 2018 01:30:22 UTC
- Used for token age calculation
exp: 1735000000 (Expiration)
- Token expiry time
- Unix timestamp: Dec 24, 2024 00:00:00 UTC
- Status: VALID (not expired yet)
---
SIGNATURE (Verification Data):
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Signature Explanation:
- Created by: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
- Purpose: Verify token integrity
- Cannot be decoded (one-way hash)
- Requires secret key to verify
- Prevents tampering with header/payload
Token Status:
✓ Valid Structure (3 parts separated by dots)
✓ Valid Base64URL encoding
✓ Valid JSON in header and payload
✓ Not Expired (exp > current time)
⚠️ Signature NOT verified (decode only)
Security Notes:
- This tool DECODES but does NOT VERIFY
- Signature verification requires secret key
- Never trust decoded data without verification
- Check expiration before using token
- Validate issuer (iss) and audience (aud) claims
Use Cases:
✓ Debug authentication issues
✓ Inspect token claims
✓ Check token expiration
✓ Understand JWT structure
✓ Troubleshoot API authorizationKey Changes:
The decoder reveals JWT structure without cryptographic verification—decoding is reading base64url-encoded JSON, while verification requires the secret key to validate the signature. JWTs consist of three base64url-encoded parts: header (algorithm metadata), payload (claims/data), and signature (integrity proof). The header specifies signing algorithm—HS256 uses HMAC with SHA-256 requiring symmetric secret, RS256 uses RSA with public/private keys. The payload contains claims: registered claims (sub, exp, iat, iss, aud) defined by RFC 7519, and custom claims (name, role, email) defined by applications. The 'exp' claim (expiration) is critical—expired tokens should be rejected even if signature is valid. The 'iat' claim (issued at) enables token age limits. The signature prevents tampering—modifying header or payload invalidates the signature, detectable during verification. Base64url encoding (not standard base64) replaces + with -, / with _, and removes padding = for URL-safety. Developers use JWT decoders to debug authentication failures, inspect token claims without backend access, verify token expiration times, and understand why APIs reject tokens. The tool emphasizes that decoding ≠ verification—a decoded token may have valid JSON but invalid signature, making it untrustworthy. Production systems must verify signatures using libraries (jsonwebtoken for Node.js, PyJWT for Python) before trusting token data.
Frequently Asked Questions
How do I decode a JWT token?
Simply paste your JWT token (the long string starting with "eyJ") into the decoder input area. The tool automatically detects, validates, and decodes the token, displaying the header, payload, signature, and expiration status instantly.
Is the JWT decoder free?
Yes! The JWT decoder is completely free with unlimited use and no registration required. Decode as many tokens as you need without any restrictions or sign-up process.
Is it safe to decode JWT tokens online?
Absolutely! All decoding happens client-side in your browser using JavaScript. Your JWT tokens never leave your device, are not sent to any servers, and are not logged or stored anywhere. It's 100% private and secure.
What information can I see from a decoded JWT?
The decoder displays the complete token structure: Header (algorithm and token type), Payload (all claims including user data, roles, permissions), Signature (raw signature string), Issued time, Expiration time, and validity status showing if the token is expired or still valid.
How do I check if my JWT token is expired?
Paste your token into the decoder and it will automatically check the "exp" (expiration) claim against the current time. Expired tokens show a clear indicator with the exact expiration date and time, marked with . Valid tokens show .
What JWT algorithms are supported?
The decoder supports all standard JWT algorithms including HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), PS256, PS384, PS512 (RSA-PSS), and more. The algorithm type is displayed in the decoded header.
Can I decode JWT tokens from Auth0, Firebase, or AWS Cognito?
Yes! The decoder works with JWT tokens from any authentication provider including Auth0, Firebase, AWS Cognito, Okta, Azure AD, Google OAuth, and custom JWT implementations. Any valid JWT token can be decoded regardless of issuer.
What does "Invalid JWT" mean?
"Invalid JWT" means the token format is incorrect. A valid JWT must have exactly 3 parts separated by dots (header.payload.signature), with each part being Base64URL encoded. Common issues include: incomplete tokens, extra characters, wrong encoding, or corrupted token strings.