JWT Decoder
Inspect and verify JSON Web Tokens
RSA / ECDSA verification (RS256, ES256) requires public-key parsing — paste an HS-* JWT here, or check tokens against jwt.io for now.
About JWT Decoder
What a JWT is
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties — typically a user identity and access metadata passed from an auth server to an API. Defined in RFC 7519, it's three Base64URL-encoded segments separated by dots: header.payload.signature.
- The header declares the signing algorithm (e.g.
HS256,RS256) and token type. - The payload is a JSON object of claims —
sub(subject / user id),exp(expiry),iat(issued-at),iss(issuer),aud(audience), plus any custom claims (role,email, etc.). - The signature is
HMAC_SHA256(base64url(header) + '.' + base64url(payload), secret)(for HS-family) or an RSA/ECDSA signature (for RS/ES-family).
The payload is not encrypted — anyone can Base64-decode it. The signature is what proves the token wasn't tampered with.
What this tool does
- Decode any JWT into its three parts. Pretty-print the header and payload JSON.
- Highlight standard claims (
exp,iat,nbf,iss,aud,sub,jti) with human-readable timestamps and expiry status. - Verify the signature for HS256 / HS384 / HS512 by pasting your secret. RS/ES verification (RS256 / ES256) requires a public key in PEM form.
- Detect common red-flags —
alg: none(signature bypass attack), missingexp, very long-lived tokens. - All client-side. Your token and your secret stay in your browser. No upload.
Why developers reach for this daily
A JWT decoder is the single most-used tool in auth debugging. When a request 401s, the first move is to decode the token and check: is it expired? Does the aud match this service? Does the role/scope claim include the action being attempted? Is the issuer correct? Five seconds with a JWT decoder saves an hour of guessing.
The ecosystem standard is jwt.io. This tool does the same job but: (a) never sends your token over the wire (jwt.io does decode client-side now too, but it's still hosted on a third-party domain), (b) flags the common security smells inline, and (c) is one keystroke away from the rest of the Toolenza dev kit via Cmd-K.
Frequently asked questions
No. The decoding and signature verification run entirely in your browser using the Web Crypto API. Tokens and secrets stay on your machine.
HMAC family — HS256, HS384, HS512 — works fully in-browser via Web Crypto. For RS256 / ES256 / EdDSA, paste the issuer's public key in PEM format. `alg: none` tokens are decoded but flagged as insecure (this header value is a classic signature-bypass vulnerability when the verifier accepts it).
The `exp` claim is past the current Unix timestamp. JWTs are timestamp-bound for security; an expired token must be rejected by the verifier even if the signature is valid. Refresh the token from your auth server.
A session cookie typically holds a random ID; the server looks up the actual session data in a database. A JWT carries the claims *inside the token* — the server validates the signature instead of looking up state. JWTs are useful for stateless APIs and microservice fan-out; session cookies are simpler for monolithic web apps and let you invalidate sessions immediately by deleting the row.
Standard JWTs (JWS) are signed but not encrypted — anyone with the token can read its claims by Base64-decoding. For encrypted tokens, use JWE (JSON Web Encryption), a different specification. Never put a password or secret inside a JWT claim.
Embed this tool on your site
Drop a one-line iframe snippet into any blog, lesson plan, or knowledge base. Powered-by-Toolenza link included.
Embed this tool
Paste this snippet into any HTML page. The tool runs entirely in your reader's browser.
Related tools
JWT Decoder
No reviews yet — be the first to share your thoughts.
- No reviews yet — be the first to share your thoughts.