JWT Decoder

Decode and inspect JWT tokens. Shows header, payload, expiry. Signature is not verified. Your token never leaves your browser.

Signature is not verified — this tool only decodes the contents. For security validation, use your backend JWT library.

Ctrl+Enter DecodeCtrl+Shift+c Copy payload

JWT Token

Pro tip

JWTs committed to repos are a security incident waiting to happen. Git AutoReview detects hardcoded tokens, API keys, and secrets in every PR.

Try in VS Code — 10 free reviews/day

How to decode a JWT token

Paste the token and the tool decodes it immediately — no button click needed. A JWT is three base64url-encoded sections separated by dots. The first two, header and payload, are JSON objects you can read directly. The third is the raw signature string, which can only be verified by the server that issued the token.

Reading the JWT payload

The payload holds claims: key-value pairs the issuer decided to include. Standard ones you will see on almost every token are sub (subject, usually a user ID), iss (issuer URL), aud (audience), exp (expiry as a Unix timestamp), and iat (issued-at). Beyond those, anything goes — roles, email, plan tier, feature flags, whatever the backend needed to carry across the wire.

Why this tool does not verify the signature

Verification needs the secret key (HMAC) or public key (RSA/ECDSA) that signed the token. Your server holds that key and should never give it to a browser. This tool shows you what is inside the token; the actual security check belongs in your backend library. For Node.js that is jsonwebtoken, for Python it is PyJWT — both do the full signature verification that a client-side decoder cannot.

Security warning

Production JWTs carry real user identities, session state, and permission scopes — treat them like passwords. This tool is entirely client-side with zero network requests, which you can confirm in DevTools Network tab. Even so, the safer habit is to use test tokens or expired tokens when you need to inspect claims, and keep real production tokens off online tools entirely.

Keyboard Shortcuts

Press Ctrl+Enter to decode manually. Press Ctrl+Shift+C to copy the payload JSON. The tool also decodes automatically as you type.

FAQ

What is a JWT token?

Three base64url-encoded sections glued together with dots. The first section is the header, which tells you the signing algorithm. The second is the payload, which carries claims like user ID, expiry timestamp, and whatever custom data the issuer decided to include. The third is the signature, which is cryptographic proof that the token was issued by someone who held the secret key. The format is RFC 7519 — old and widely supported.

Why does this tool not verify the JWT signature?

Verification needs the secret key or public key that signed the token, and your server holds that — not your browser. A client-side tool cannot verify signatures without exposing the key, which would defeat the entire point of having one. What this tool can do is show you what is inside the token: the algorithm, all the claims, and whether the expiry timestamp has already passed.

What do the common JWT claims mean?

The ones you see on almost every token: sub is the subject, usually a user ID. iss is the issuer, typically a URL identifying your auth server. exp is expiry as a Unix timestamp. iat is when the token was issued. aud is the intended audience — often your API's identifier. Anything beyond those is custom to the application: roles, email, plan tier, whatever the backend decided to put in.

Is it safe to paste a JWT token into this tool?

The tool is entirely client-side — open DevTools Network tab while using it and you will see zero outbound requests. That said, JWTs from production systems carry real user identities and session state, so treat them like passwords regardless of the tool. The right habit is to avoid pasting real production tokens from actual users into any online tool you do not fully control.

What is the difference between decoding and verifying a JWT?

Decoding just reads what is inside — base64url decode the payload and you get the JSON claims. Anyone who has the token string can do this; there is no secret involved. Verification is the step that actually matters for security: it checks the signature against the key to confirm the token was not tampered with and was issued by a trusted source. Decoding tells you what the token says; verification tells you whether to believe it.

What keyboard shortcuts are available?

Ctrl+Enter (Cmd+Enter on Mac) to decode, Ctrl+Shift+C to copy the payload section.

Related Tools

From Our Blog

Developer Toolkit by Git AutoReview

Free tools for developers. AI code review for teams.

Install Free Extension View All Tools