</>
DevPry

JWT Decoder

Client-side only

Decode and inspect JWT tokens instantly. View header, payload, and signature. Check expiry, algorithm, and claims — all client-side, nothing sent to a server.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit information between parties. It is defined by RFC 7519 and is the standard token format for authentication and authorization in modern web applications.

A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims about the user or session), and the signature (used to verify the token hasn't been tampered with).

The payload is only encoded, not encrypted — anyone with the token can decode and read its contents. Never store sensitive data like passwords in a JWT payload. The signature ensures integrity but not confidentiality.

How to Use This Tool

  1. Paste your JWT token into the input field above — it should look like three Base64 strings separated by dots.
  2. The tool instantly decodes and displays the header, payload, and signature in separate panels.
  3. Check the payload for standard claims: exp (expiry), iat (issued at), sub (subject), and any custom claims your app uses.
  4. The status bar shows whether the token is still valid, expired, or not yet active based on the exp and nbf claims.

Common Use Cases

Debugging Authentication

Inspect tokens returned by your auth server to verify claims, roles, and expiry times during development.

Checking Token Expiry

Quickly see the exp timestamp without writing code — useful when troubleshooting session timeouts.

Verifying Token Structure

Confirm the algorithm (alg), token type, and that all required payload fields are present before deploying.

Learning JWT Format

Understand how JWTs are structured by decoding real tokens and inspecting each section.

API Integration Testing

Validate tokens from third-party OAuth providers like Google, GitHub, or Auth0 when building integrations.

Security Auditing

Check that tokens use secure algorithms (RS256, ES256) and avoid the insecure alg: none vulnerability.

Frequently Asked Questions

Is it safe to paste my JWT into this tool?

This tool runs entirely in your browser — your token is never sent to any server. However, JWTs are credentials: avoid pasting production tokens from sensitive systems into any online tool. Use test or development tokens when possible.

Can this tool verify the JWT signature?

No. Signature verification requires your server-side secret or public key, which should never be exposed in the browser. This tool decodes the header and payload only. Use your backend or a trusted library to verify signatures.

What does it mean if my JWT is expired?

An expired JWT has a past exp (expiry) timestamp. The server should reject it. You need to obtain a new token — typically by using a refresh token or by logging in again.

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric) — both parties use the same key to sign and verify. RS256 uses a private/public key pair (asymmetric) — the server signs with the private key and anyone can verify with the public key. RS256 is safer for distributed systems.

Why does the JWT payload end with == padding?

JWTs use Base64URL encoding, which strips padding characters (=). If you decode the raw segments manually, you may need to add padding back before decoding with standard Base64 tools.

Want to learn more? Read our guide: What is a JWT? How to Decode and Inspect One

Read →