JWT Decoder — Free Online JSON Web Token Inspector
Decode, inspect, and verify JWT tokens instantly. View the header, payload, signature, and claims of any JSON Web Token. Check expiration dates, verify HMAC signatures, and debug authentication issues. Fully client-side — tokens and secrets are never sent anywhere.
How to Use the JWT Decoder
- Paste your JWT token in the input field — it can be from any source (browser dev tools, API response, logs).
- View the decoded header to see the algorithm and token type.
- Examine the claims table with human-readable labels for each claim.
- Check the token type detection — Access Token, ID Token, or Refresh Token.
- For HMAC tokens (HS256/384/512), enter the secret key to verify the signature.
- Check the status indicator to see if the token is expired or still valid.
Why Use This JWT Decoder
JWTs are the backbone of modern authentication, but they're opaque strings that hide critical debugging information. When a 401 error hits at 2am, you need to quickly check: Is the token expired? What claims does it contain? Was it signed with the right algorithm? This decoder answers those questions in seconds.
Unlike jwt.io, this tool runs entirely in your browser — your secrets never leave your machine. It also provides signature verification for HMAC algorithms, token type detection, and human-readable claim labels to help you debug faster.
Frequently Asked Questions
A JWT has three Base64Url-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm (like HS256 or RS256), the payload contains the claims (data), and the signature verifies the token hasn't been tampered with.
Yes! For HMAC-based algorithms (HS256, HS384, HS512), you can enter the secret key to verify the signature. For RSA and ECDSA algorithms (RS256, ES256, etc.), you would need the public key, which requires a backend verification step. Never paste production secrets into browser tools unless you trust the tool's client-side-only guarantee.
The exp claim in the payload is a Unix timestamp indicating when the token expires. If the current time is past that timestamp, the token is expired. Common causes: clock skew between servers, tokens stored too long in the browser, or refresh token rotation not working properly.
HS256 uses a symmetric secret (same key signs and verifies) — fast but the secret must be shared. RS256 uses asymmetric keys (private key signs, public key verifies) — more secure for distributed systems. Most OAuth providers use RS256; internal microservices often use HS256.
The tool detects token types based on standard claims: scope or permissions suggest an Access Token; nonce, at_hash, or aud with a single audience suggest an ID Token; gty (grant type) suggests a Refresh Token. This is heuristic and may not match your provider's conventions.
Use Cases
Inspecting JWT Claims
Decode JWT tokens to view all claims including user ID, roles, and custom data in a readable format.
Debugging Auth Tokens
Quickly identify why authentication tokens are failing by examining their contents and expiration.
Verifying Token Expiration
Check if JWT tokens are expired or still valid to troubleshoot authentication issues.
Understanding OAuth Payloads
Analyze OAuth token payloads to understand what data is being passed between services.
Checking Header Algorithms
Verify the signing algorithm used in JWT headers to ensure proper security configuration.