JWT decoder
Paste any JSON Web Token. Instantly see the header, payload, claims, algorithm, and expiry status. Your token never leaves the browser.
| claim | value | description |
|---|
Is it safe to paste my JWT here?
Yes. This tool runs entirely in your browser — no data is sent to any server. Your token never leaves the page. That said, never paste production tokens into any online tool if you can avoid it. Prefer staging or already-expired tokens for debugging.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used to represent claims between two parties. It has three Base64url-encoded parts separated by dots: header (algorithm + type), payload (claims), and signature. JWTs are commonly used for authentication and API authorization.
What is the exp claim?
The exp claim (Expiration Time) is a Unix timestamp in seconds indicating when the token expires. This tool converts it to a human-readable date and tells you whether the token is still valid or has expired.
Can this tool verify JWT signatures?
This tool decodes and inspects without verifying signatures. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA), which should never be shared with browser tools. Always verify signatures server-side.
What JWT algorithms are there?
Common algorithms: HS256/HS384/HS512 (HMAC-SHA), RS256/RS384/RS512 (RSA), ES256/ES384/ES512 (ECDSA), PS256/PS384/PS512 (RSA-PSS). The algorithm is in the alg field of the header. The none algorithm means unsigned and should be rejected by most servers.
Built by vøiddo — a small studio shipping AI-flavoured products, free dev tools, Chrome extensions and weird browser games.