Skip to main content
TxtpipeTxtpipe
Sign InGet Started

JWT Decoder

Decode and inspect JSON Web Tokens instantly. View headers, payloads, expiration times, and standard claims with syntax highlighting.

About JWT Decoder

Paste a JSON Web Token above to decode and inspect its contents. This tool will display:

  • Header information (algorithm, type)
  • Payload claims with formatted JSON
  • Signature (base64url encoded)
  • Expiration status with live countdown
  • Standard claims in human-readable format

All decoding happens in your browser. No data is sent to any server.

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications, mobile apps, and APIs.

A JWT consists of three parts separated by dots (.): the header, payload, and signature. Each part is base64url encoded, making the token safe to transmit in URLs, headers, and other contexts where special characters might cause issues.

JWT Structure

Header

The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA. This information is base64url encoded to form the first part of the JWT.

Payload

The payload contains the claims, which are statements about an entity (typically, the user) and additional data. There are three types of claims: registered claims (like iss, exp, sub), public claims, and private claims. The payload is also base64url encoded to form the second part of the JWT.

Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. To create the signature, you take the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and sign that.

Standard JWT Claims

iss (Issuer)

Identifies who issued the JWT

sub (Subject)

Identifies the subject of the JWT (usually user ID)

aud (Audience)

Identifies the recipients that the JWT is intended for

exp (Expiration Time)

Identifies the expiration time after which the JWT must not be accepted

iat (Issued At)

Identifies the time at which the JWT was issued

nbf (Not Before)

Identifies the time before which the JWT must not be accepted

How to Use This JWT Decoder

  1. 1Paste your JWT token into the input field at the top of the page.
  2. 2View the decoded output showing the header, payload, and signature sections.
  3. 3Check expiration status with a live countdown showing time until the token expires.
  4. 4Copy decoded JSON to your clipboard using the copy buttons for header or payload.

Security & Privacy

This JWT decoder runs entirely in your browser. No data is sent to any server, and your tokens never leave your device. All decoding and parsing happens client-side using JavaScript.

Important: This tool does not verify JWT signatures. It only decodes the structure of the token. For security-critical operations, always verify JWT signatures on your server using the appropriate secret key or public key.

Common Use Cases

  • Debugging authentication issues in web applications
  • Inspecting API tokens to verify claims and expiration
  • Understanding JWT structure while learning about authentication
  • Validating token contents during development and testing
  • Troubleshooting OAuth2 and OpenID Connect flows

Frequently Asked Questions

Is it safe to decode JWTs in a browser?

Yes, decoding JWTs in the browser is safe since it only reads the token's structure. However, remember that JWTs are typically not encrypted, so never store sensitive information in the payload. This tool doesn't send your tokens anywhere - all processing happens locally.

Does this tool verify JWT signatures?

No, this tool only decodes the JWT structure. Signature verification requires the secret key or public key used to sign the token, which should only be done on a secure server. Client-side signature verification is not recommended for security reasons.

What if my JWT doesn't decode?

Make sure your JWT has three parts separated by dots (header.payload.signature) and that each part is properly base64url encoded. Common issues include extra whitespace, missing parts, or corrupted encoding.

Need More Developer Tools?

Explore our collection of free online tools for developers, including image compression, background removal, and more.

View All Tools