ToolBelt

JWT Decoder

Decode a JWT to inspect its header, payload and signature.

Open tool

Overview

Paste a JWT and the decoder shows the three segments separately: header, payload, and signature. Standard claims (iss, sub, aud, exp, iat, nbf, jti) are rendered with friendly labels and decoded timestamps. The signature is shown as bytes for inspection only - this tool decodes, it doesn't verify.

It's for developers debugging OAuth/OIDC flows, inspecting tokens issued by an identity provider, or reverse-engineering a third-party API's auth scheme. Reach for it when an API call fails with a 401 and you want to see what the server actually received.

How it works

A JWT (RFC 7519) is three base64url segments separated by dots. The decoder splits on the dot, base64url-decodes each segment, and parses the first two as JSON. Padding is auto-inserted because the base64url variant used by JWTs strips = characters.

Time claims (iat, exp, nbf) are Unix timestamps - the decoder converts them to ISO 8601 and flags whether the current time is inside the validity window. The header's alg field is reported so you can tell at a glance whether the token is HMAC-signed or RSA/ECDSA-signed.

Examples

  • Decode a typical token: 
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyLTEiLCJleHAiOjE3MzU2ODk2MDB9.signature

    Header:  {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"user-1","exp":1735689600}
Exp:     2024-12-31T23:59:00Z (expired)
  • A Google-issued ID token's payload (truncated): 
    {"iss":"https://accounts.google.com","aud":"...","sub":"103...","email":"..."}
  • A token with custom claims: 
    {"role":"admin","tenant":"acme","exp":1799999999}
  • Signature inspection (raw): 
    Base64url bytes: pGy...kQ

FAQ

Does this verify the signature?

No - decoding is independent of verification. For verification (with a known key), use the JWT Crafter tool.

Is it safe to paste production tokens here?

The decoder runs in the browser and tokens are not sent to a server. That said, JWTs often contain identifying info - prefer test tokens when possible.

Why does the payload show exp as a number?

exp, iat, and nbf are Unix timestamps per spec. The decoder also shows the ISO 8601 conversion alongside the raw integer.

Can I decode a token whose alg is encrypted (JWE)?

No - this decoder handles JWS (signed) tokens, which are the common case. JWE (encrypted) tokens have five segments and need the decryption key to read the payload.

Try JWT Decoder

An unhandled error has occurred. Reload ×