JWT Decode

About JWT Decode

JWT Decode (jwtdecode.app) is a free online JSON Web Token decoder, inspector, and signature verifier built for developers who need to quickly understand what a JWT contains without compromising token security.

The site is written and maintained by Andy, a software engineer who has shipped JWT-based authentication in production systems and writes the guides here to make that experience reusable. Corrections, questions, and disagreements are welcome — contact details below.

Purpose

Modern authentication systems issue JSON Web Tokens constantly — as access tokens, ID tokens, and API credentials. Developers, QA engineers, security engineers, and API integrators regularly need to inspect these tokens: to debug auth flows, verify claim values, check expiry timestamps, or confirm that an issuer is setting the right fields.

Many existing JWT tools send the pasted token to a remote server for decoding — a significant privacy risk, since JWTs often contain user IDs, session scopes, and role assignments. JWT Decode was built specifically to eliminate this risk: all decoding and signature verification runs in your browser using JavaScript and the browser's built-in Web Crypto API. No token content ever leaves your device.

Who This Is For

JWT Decode is used by anyone who works with authentication systems and needs to inspect tokens quickly and safely. Common use cases across different roles:

  • ·Backend developers debugging a 401 from an API gateway — paste the token from the Authorization header, check whether exp has passed, confirm the aud matches the expected service, and check the iss against the configured issuer.
  • ·QA engineers verifying that the auth service is setting the right claims in test environments — confirm that roles,org_id, and custom claims are populated correctly in regression tests.
  • ·Security engineers auditing tokens from a third-party integration — inspect exactly what claims an external identity provider is including, verify the signing algorithm is RS256 (not HS256), and check that an appropriate token lifetime is being used.
  • ·API integrators onboarding to a new identity provider — decode the access and ID tokens returned by the provider's token endpoint to understand the claim structure before writing verification code.
  • ·CI/CD pipeline engineers diagnosing a failing authentication step in an automated test suite — copy the token from the pipeline log, check its expiry and claims without needing to set up a local debugging environment.

The tool is intentionally simple: paste a token, see the claims. No account required, no sign-up, no configuration. The signature verifier supports every common algorithm and accepts keys in standard formats (PEM and raw shared secrets) for when you need to go beyond inspection.

What the Tool Does

  • ·Instant JWT decoding: Paste any JWT and the header and payload are decoded in real time, displayed with syntax highlighting. No button click required.
  • ·Claims inspection: All standard registered claims (iss, sub, aud, exp, nbf, iat, jti) are labelled and explained. Timestamp claims are shown in both Unix and human-readable formats with relative time, plus expiry status badges.
  • ·Signature verification: Supports HS256/HS384/HS512 (HMAC shared secret), RS256/RS384/RS512 (RSA public key), ES256/ES384/ES512 (ECDSA public key), and PS256/PS384/PS512 (RSA-PSS public key). All cryptographic operations use the browser's Web Crypto API.
  • ·Raw Base64url view: Inspect the raw Base64url-encoded segments and their decoded UTF-8 output for low-level debugging.
  • ·JWT anatomy guide: An inline reference explaining JWT structure, standard claim fields, and key security reminders.
  • ·Dark and light mode: Respects system preferences and allows manual override.
JWT Decode works fully offline. Once the page has loaded, disconnect from the internet — decoding and verification will continue to work perfectly. This confirms no token data is being transmitted anywhere.

Editorial Standards

The guides on this site are written to be technically accurate and practically useful. Content is reviewed against RFC 7519 (JSON Web Token), RFC 7515 (JSON Web Signature), RFC 7517 (JSON Web Key), and the OWASP JWT Security Cheat Sheet. Where security guidance conflicts with convenience, security takes precedence.

Factual corrections are welcome. If you find a claim in any guide that appears to be incorrect or misleading, please send the specific page, the claim in question, and a supporting reference to hello@jwtdecode.app. Corrections that improve accuracy for readers are taken seriously and acted on promptly.

Content covers the JWT specification itself, the cryptographic algorithms defined in RFC 7518, the OpenID Connect specification, OAuth 2.0 best current practices (RFC 9700), and practical implementation guidance drawn from real-world deployments. No content is produced for search ranking purposes — everything here should be genuinely useful to someone implementing or debugging JWT-based authentication.

Technical Approach

The decision to run all processing in the browser was made at the outset and shapes every technical decision. JWT payloads often contain PII (names, email addresses, user IDs) and security-sensitive data (role assignments, session scopes). A tool that sends these to a server — even just to decode Base64url — creates an unnecessary exposure surface. The browser has everything needed to do this locally.

Signature verification uses the window.crypto.subtle API, available in all modern browsers since 2017. Web Crypto supports HMAC (for HS256, HS384, HS512), RSA-PKCS1v15 (RS256, RS384, RS512), RSA-PSS (PS256, PS384, PS512), and ECDSA with P-256, P-384, and P-521 curves (ES256, ES384, ES512). The key and token are passed entirely within the browser's JavaScript sandbox — nothing is serialised over the network.

The site is built with React 18 and server-side prerendered at build time for performance and SEO. Each guide page is rendered to static HTML before deployment, so there is no server-side rendering on the request path — the server simply serves static files. The React application hydrates in the browser and handles all interactivity locally.

Educational Resource

Beyond the tool itself, this site serves as an educational resource for developers working with JWTs. The guides section covers JWT fundamentals, the three-part token structure, standard claim semantics, signature verification mechanics, algorithm selection, security best practices, common errors, and the distinction between decoding and validation.

Privacy Commitment

Token privacy is the founding principle of this tool. The implementation is deliberately designed so that token content cannot leak to the server:

  • ·All JWT decoding is performed by JavaScript running in your browser
  • ·All signature verification uses window.crypto.subtle — the browser's native cryptography engine
  • ·No token data is sent to any backend, analytics service, or third party
  • ·Nothing is persisted to localStorage, sessionStorage, or cookies

The site uses Google AdSense for advertising. Ad scripts run in sandboxed iframes and cannot access the JWT decoder's JavaScript state. See the Privacy Policy for full details.

Contact

For questions, feedback, or to report an issue, visit the Contact page.

Ready to decode a token?
Use the free JWT decoder — paste any token for instant results, entirely in your browser.
Open JWT Decoder