Decode | Inspect | Verify | Compare

    JWT Decoder

    Decode JSON Web Tokens, inspect claims, scan token risks, test expiry windows, verify signatures, and compare JWT payloads in a secure browser-based workspace.

    JWT Inspection Workspace

    Paste a token to decode header, payload, signature, claims, timestamps, and security signals.

    JWT Token
    0 chars0 chars

    Paste a JWT token above to run a security scan

    header.payload.signature

    Client-side decoding and inspection|Header, payload, claims, signature, timestamps, risk scan, and diff mode
    JWT Security Toolkit

    Online JWT Decoder for Tokens, Claims, Signatures, and Security Checks

    Decode JSON Web Tokens online, inspect claims, review timestamps, test signature verification inputs, compare payload changes, and spot common JWT security risks from one polished developer workspace.

    Instant Decode

    Paste a JWT and immediately inspect the header, payload, signature, and claims in a readable layout.

    Security Scan

    Review expiration, algorithm, issuer, audience, subject, signature presence, and sensitive payload signals.

    Signature Tools

    Add an HMAC secret, PEM public key, JWK JSON, or JWKS URL to test token signature verification workflows.

    Private Workflow

    Decode and inspect tokens in your browser without sending token contents to a backend service.

    Decode Example

    Decode a token and read the claims behind it

    Copy the sample token to test the JWT decoder, inspect the header and payload, view expiration claims, run the security scan, and explore the raw JSON output.

    decoded-payload.jsonJWT Payload
    {
      "sub": "user_123",
      "name": "Alex Mercer",
      "iss": "https://issuer.example.com",
      "aud": "devtools",
      "iat": 1700000000,
      "exp": 1700003600
    }

    What is a JWT decoder?

    A JWT decoder turns a compact JSON Web Token into readable JSON. It separates the token into header, payload, and signature sections so developers can inspect the algorithm, key ID, claims, expiration time, issuer, audience, subject, scopes, roles, and other metadata used in authentication systems.

    What is a JSON Web Token?

    A JSON Web Token is a compact, URL-safe credential format commonly used by APIs, OAuth, OpenID Connect, single-page apps, mobile apps, and microservices. JWTs carry claims about a subject and are usually signed so a verifier can detect tampering.

    JWT structure explained

    1

    Header

    Contains metadata such as alg, typ, and kid. Use it to understand the signing algorithm and key selection hints.

    2

    Payload

    Contains registered, public, and private claims such as sub, iss, aud, exp, iat, nbf, scope, roles, and permissions.

    3

    Signature

    Protects token integrity. It must be verified with the correct secret, public key, JWK, or JWKS endpoint before trusting claims.

    Features supported by this JWT decoder

    Decode, inspect, verify, compare, export, and test token behavior using practical controls built for authentication debugging.

    Header, Payload, and Signature Viewer

    Break a JWT into its three base64url sections and inspect algorithm, token type, key ID, claims, and signature data separately.

    Claims Table

    Read standard and custom claims in a structured table, including subject, issuer, audience, issued-at, not-before, and expiration values.

    Risk and Security Scan

    Highlight missing signatures, unsafe algorithms, expired tokens, long-lived sessions, unknown issuers, mismatched audiences, and sensitive fields.

    Signature Verification Inputs

    Use the verification panel for HMAC secrets, PEM public keys, JWK JSON, JWKS URLs, trusted issuers, and trusted audiences.

    Time Travel Testing

    Shift the validation clock forward or backward to test exp, nbf, and validity windows during development and QA.

    JWT Diff Mode

    Paste a second JWT and compare payloads when debugging changed sessions, refreshed access tokens, or modified claim sets.

    Raw JSON and Copy Actions

    Copy decoded header, payload, signature, bearer header templates, or export decoded token data as JSON.

    Developer Re-encode Tools

    Edit payload JSON and re-encode or re-sign with an HMAC secret for local decoder tests and integration experiments.

    JWKS Provider Hints

    Detect known issuer patterns and surface likely JWKS endpoints to help teams verify tokens from common identity providers.

    Common JWT use cases

    • Debug login, refresh token, and authorization header issues in frontend or backend apps.
    • Inspect API access tokens from OAuth, OpenID Connect, SSO, and microservice flows.
    • Check exp, iat, and nbf timestamps when users report expired or not-yet-valid sessions.
    • Compare old and new JWT payloads after a claim mapping, role, scope, or audience change.
    • Review whether a token contains risky personal data, secrets, passwords, or internal identifiers.
    • Validate issuer and audience expectations while building API gateways, middleware, and service-to-service auth.

    Security notes before trusting a JWT

    Decoding makes a token readable, but readable does not mean trusted. Always verify the signature and validate issuer, audience, expiration, algorithm, and application-specific authorization rules before accepting claims.

    JWT payloads are not encrypted by default. Avoid putting passwords, API keys, secrets, private keys, or sensitive personal data inside token claims because anyone with the token can decode them.

    Treat production access tokens like credentials. Use this tool for development and debugging, and avoid pasting real tokens into tickets, public logs, screenshots, or shared chat messages.

    How to verify a JWT safely

    1. 1. Decode the token and inspect alg, typ, kid, iss, aud, sub, exp, iat, and nbf.
    2. 2. Provide the correct HMAC secret, PEM public key, JWK JSON, or JWKS URL in the verification panel.
    3. 3. Confirm the signature is valid and the algorithm matches what your application expects.
    4. 4. Validate issuer and audience against trusted values, then check expiry and not-before windows.
    5. 5. Apply your app authorization rules for scopes, roles, permissions, tenants, and resources.

    Developer workflow extras

    Time travel

    Test future and past validity windows for exp and nbf claims.

    Compare tokens

    Review changed claims between two JWTs side by side.

    Copy sections

    Copy header, payload, signature, or bearer header snippets.

    Export JSON

    Download decoded header and payload data as JSON.

    JWT Decoder Questions

    Practical answers about decoding, verification, privacy, JWT claims, and token security.

    A JWT decoder is a developer tool that splits a JSON Web Token into its header, payload, and signature sections, then base64url-decodes the readable JSON parts so you can inspect claims and token metadata.