jwtdecode.io

Decode and inspect JWTs in your browser

Verify Signature (Optional)

🔒 All decoding happens in your browser. Tokens are not sent to any server.

Signature Status

— Not verified

Paste a JWT token to decode

What is a JWT (JSON Web Token)?

JWT stands for JSON Web Token. It's an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in web applications. A JWT consists of three parts: Header, Payload, and Signature, separated by dots (.).

How to decode JWT tokens online

Decoding JWT tokens is simple with our online tool. Here's how it works:

  1. Paste your JWT: Copy your JWT token and paste it into the input field. The token should have three parts separated by dots.
  2. View decoded data: The header and payload are automatically decoded and displayed as formatted JSON on the right side.
  3. Verify signature (optional): If you want to verify the token's authenticity, enter your secret key and select the algorithm (HS256, HS384, or HS512).
  4. Check status: The signature status indicator will show whether your token is valid, invalid, or not verified.
  5. Copy data: Use the "Copy JSON" button to copy the decoded payload to your clipboard.

All decoding and verification happens directly in your browser using JavaScript and the Web Crypto API. Your JWT tokens never leave your device, ensuring complete privacy and security.

Common use cases for JWT decoder

Our JWT debugging tool is perfect for various scenarios:

  • Debugging authentication issues: Quickly inspect JWT tokens to verify claims, expiration times, and other payload data.
  • API development: Test and validate JWT tokens during API development and integration.
  • Security audits: Examine JWT structure and verify signatures to ensure proper implementation.
  • Learning JWT: Understand how JSON Web Tokens work by decoding real examples.
  • Token inspection: Check token expiration (exp), issued at (iat), and other standard claims.
  • Troubleshooting SSO: Debug Single Sign-On implementations that use JWT tokens.

Why use an online JWT decoder?

While you could decode JWTs manually or write a script, an online JWT debugger offers several advantages: it's instant, requires no installation, works on any device, and handles edge cases like proper base64url decoding. Our tool follows JWT standards (RFC 7519), ensuring accurate decoding and verification.

Plus, with 100% browser-based processing using the Web Crypto API, you don't need to worry about data privacy or security. Your JWT tokens stay on your device and are never uploaded to any server. Whether you're inspecting authentication tokens or debugging API responses, your sensitive data remains completely private.

Supported JWT algorithms

Our JWT verifier currently supports HMAC-based signature verification:

  • HS256 (HMAC-SHA256): Fully supported with real-time verification
  • HS384 (HMAC-SHA384): Coming soon
  • HS512 (HMAC-SHA512): Coming soon

Future updates will include support for RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) algorithms.

Frequently Asked Questions

How do I decode a JWT token?

Simply paste your JWT token into the input field. The tool will automatically decode the header and payload and display them as formatted JSON. No additional steps are required for basic decoding.

Is it safe to decode JWT tokens online?

Yes! All decoding and verification happens directly in your browser using JavaScript. Your JWT tokens are never sent to any server or stored anywhere. The processing is 100% client-side, ensuring complete privacy.

How do I verify a JWT signature?

After pasting your JWT token, enter your secret key in the "Secret Key" field and select the algorithm (HS256, HS384, or HS512). The tool will automatically verify the signature and display whether it's valid or invalid.

What JWT algorithms are supported?

Currently, we fully support HS256 (HMAC-SHA256) signature verification. Support for HS384, HS512, and RSA/ECDSA algorithms is planned for future updates.

Can I use this tool for production JWT tokens?

Yes, but be cautious. While the tool is secure (everything runs in your browser), you should be careful about pasting production secrets. For production environments, consider using the tool without entering the secret key, or only use it in secure, trusted environments.

What is the difference between Header and Payload in JWT?

The Header contains metadata about the token, such as the algorithm used for signing (e.g., HS256) and the token type (JWT). The Payload contains the claims - the actual data you want to transmit, such as user ID, permissions, expiration time, etc.

Why does my JWT have three parts?

JWT tokens consist of three parts separated by dots: Header.Payload.Signature. The Header describes the token, the Payload contains the data (claims), and the Signature ensures the token hasn't been tampered with. All three parts are base64url-encoded.

Can I copy the decoded JWT data?

Yes! Use the "Copy JSON" button next to the Payload section to copy the decoded payload to your clipboard. This makes it easy to use the data in other applications or for further processing.