Your token is decoded locally — nothing is sent to any server.
Your decoded token appears here
Paste a JWT on the left to inspect its header, payload claims, and signature in real time. Nothing leaves your browser.
Decode tokens instantly. Inspect claims. Catch auth bugs.
Your token is decoded locally — nothing is sent to any server.
Your decoded token appears here
Paste a JWT on the left to inspect its header, payload claims, and signature in real time. Nothing leaves your browser.
Everything you need to understand JSON Web Tokens — from structure to security.
A JSON Web Token (JWT) is a compact, URL-safe string that encodes claims between two parties. It has three Base64url-encoded parts separated by dots:
The header declares the algorithm. The payload contains the claims (user data, permissions, expiry). The signature proves the token wasn't tampered with — but only if you verify it server-side.
Yes. The header and payload are not encrypted — they're only Base64url-encoded. Decoding reveals the content but doesn't break any security. This tool decodes entirely in your browser. No token data is ever sent to a server.
The signature is what provides authenticity — but verifying it requires your secret or public key, which stays with you.
alg: none mean — and why is it dangerous?alg: none tells the server to skip signature verification entirely. An attacker can forge any token, set any claims (admin: true, sub: any-user), and a vulnerable server will accept it without question.
This is CVE-2015-9235, a critical vulnerability that affected many JWT libraries. Never accept tokens with alg: none in production. Most modern libraries reject them by default, but always confirm.
| Claim | Name | Meaning |
|---|---|---|
iss | Issuer | Who created the token (e.g. your auth server URL) |
sub | Subject | Who the token is about (usually a user ID) |
aud | Audience | Who should accept the token (your API's identifier) |
exp | Expiration | Unix timestamp — reject after this time |
iat | Issued At | Unix timestamp — when the token was created |
nbf | Not Before | Unix timestamp — reject before this time |
jti | JWT ID | Unique token ID — use to prevent replay attacks |
HS256 (HMAC-SHA256) uses a shared secret. Both the issuer and every verifier need the same secret. Simple to set up but risky if the secret leaks. Use when you control both sides.
RS256 (RSA-SHA256) uses a key pair. The issuer signs with a private key; any service verifies with the public key. Ideal for APIs where multiple services need to verify tokens without sharing secrets. Used by Auth0, Google, Azure AD.
ES256 (ECDSA-SHA256) is like RS256 but with smaller key sizes and faster operations. Preferred for modern systems.
exp server-side?An expired token should be rejected even if the signature is valid. Never trust a token that has passed its exp time. Common pitfalls:
exp — tokens without expiry never expire. Treat as high risk.aud claim and why does it matter?The audience claim specifies who the token is intended for. If your API's identifier is https://api.example.com, it should reject any token where aud doesn't match.
Without aud validation, a token issued for Service A could be replayed against Service B — a serious privilege escalation if both services trust the same issuer.
Paste your token above. Common things to check:
iss matching your Auth0 domain. Verify with the public key from https://<your-domain>/.well-known/jwks.jsoniss should be https://securetoken.google.com/<project-id>. Verify with Google's public keys.iss will be your Cognito User Pool URL. Check token_use claim to distinguish access vs. ID tokens.To decode a JWT token online, paste it into the input box at the top of this page. The decoder instantly Base64url-decodes the header and payload and shows them as formatted JSON — no button to press, no upload, and no account needed. You can also pass a token in the URL to share a decoded view. It works as a drop-in JWT chrome extension alternative and a browser-based JWT decode python alternative — no install, no script.
Decode the token and look at the exp claim. It is a Unix timestamp (seconds since 1970-01-01). If that time is in the past, the token is expired. This tool converts exp, iat and nbf into readable dates with a live countdown and labels the token as active, not-yet-valid, or expired automatically, so you do not have to do the math.
The payload is the middle segment of the token, between the two dots. It is Base64url-encoded JSON, not encrypted, so it can be read by anyone. Paste the token above and the JWT payload decoder renders the claims with plain-English explanations next to each value. You can copy the raw payload JSON with one click.
Yes. The header and payload are only Base64url-encoded, so they can be decoded without any secret or key — that is exactly what this tool does. The secret (HS256) or public key (RS256/ES256) is only needed to verify the signature, which proves the token has not been tampered with. So you can decode a JWT without verification to read it, then optionally verify it when you have the key.
A JWT (JSON Web Token) is a signed, URL-safe string used to prove identity between services. It has three parts joined by dots: header.payload.signature. The header says how it is signed, the payload carries the claims (the data), and the signature lets a server confirm the token is authentic. The header and payload are just encoded JSON, while the signature is cryptographic.
A session token is an opaque random ID; the server stores the matching session data and looks it up on every request (stateful). A JWT is self-contained: the claims live inside the token and the server validates it by checking the signature, so no central lookup is required (stateless). JWTs scale well across services but are harder to revoke before expiry — which is why short exp times and refresh tokens matter.
When a user logs in, the server issues a signed JWT. The client sends it back on each request, usually in the Authorization: Bearer <token> header. The server verifies the signature, checks exp, aud and iss, and then trusts the claims inside. Use this tool to debug JWT authentication by inspecting exactly what your bearer token contains and whether it verifies.
alg: none.exp, nbf, aud and iss on every request.Yes. Copy the JWT from your Authorization header (drop the Bearer prefix) and paste it here to inspect it in the browser. It is a fast Postman alternative and JWT chrome extension alternative for reading bearer tokens, with claim explanations, an expiry check, a structure validator, and optional signature verification — all without sending your token anywhere.
JWT Dev Tools is a fast, private JWT decoder that lets you decode a JWT token, read every claim, and debug authentication issues without ever leaving your browser. Paste a token into the box above and this online JWT decoder instantly splits it into its three parts — header, payload, and signature — and renders clean, syntax-highlighted JSON. There is no signup, no login, and no waiting. It works as a JWT decoder online for engineers who just need an answer right now.
A JSON Web Token is three Base64url-encoded segments joined by dots. Our JWT token decoder decodes the JWT payload and header as you type, so you see the result immediately. Because decoding only Base64url-decodes the data, you can decode a JWT without a secret — the secret or public key is only ever needed to verify the signature, not to read the contents. That makes this a true JWT payload decoder and JWT header decoder rolled into one. Use the sample token button if you want to see how the JWT decode flow works before pasting your own.
Beyond raw JWT decode base64 output, this tool acts as a full
JWT token inspector and JWT debugger. Every standard claim —
iss, sub, aud, exp, iat,
nbf and jti — is explained in plain English next to its value, so you do not
have to memorize the spec. As a JWT decoder and validator, it can verify
RS256, ES256 and HS256 signatures right in the browser using the Web Crypto API.
Paste a PEM public key or a JWKS document for asymmetric algorithms, or your shared secret for HMAC,
and confirm whether the token was really signed by who you expect.
Auth bugs usually come down to timing and trust. The built-in JWT expiry checker
converts exp, iat and nbf timestamps into human-readable dates
with a live countdown, so you can tell at a glance whether a token is active, not-yet-valid, or expired.
The security scanner flags the dangerous alg: none vulnerability, missing aud
claims, absent expiry, and other risky patterns — turning a plain
JSON Web Token decoder into a practical security review tool for production tokens.
Tokens often contain sensitive data, so privacy matters. This is a JWT decoder free of tracking: every operation runs locally in JavaScript and nothing is ever transmitted to a server. There is genuinely JWT decode no login and JWT decode free no sign up — close the tab and the data is gone. Whether you are debugging a token from Auth0, Firebase, AWS Cognito, Okta or your own API, you can use it as a safe JWT token reader online and JWT token viewer with full confidence. It is the JWT decoder no signup workflow developers actually want: paste, read, verify, ship. As a lightweight JWT token parser it loads in milliseconds and works offline once the page is cached, making it a reliable companion in any developer toolkit.
Use this as your Auth0 JWT decoder, Firebase JWT decoder,
Cognito JWT decoder, Azure AD JWT decoder or
Google JWT decoder — the format is the same across every provider. Copy the token
out of your Authorization header (drop the Bearer prefix) and paste it here to
decode the bearer token and read its claims. It is the fastest way to
inspect a JWT in the browser and a clean
JWT chrome extension alternative, JWT decode python alternative, and
Postman alternative for inspecting tokens — no install, no script, no API call. Whether
you are chasing a 401, an audience mismatch, or an expired session, this is a practical way to
debug JWT authentication and parse a JWT token online.
Not every string that looks like a token is valid. This JWT token format checker and JWT structure validator confirms there are exactly three Base64url parts and surfaces a clear message when something is off — so you can fix a malformed JWT error, catch an invalid JWT token, or spot a token that is truncated or too long because of a copy-paste slip. Combined with the built-in JWT token analyzer and signature check, you can both decode and verify a JWT in one place. Note that this tool is a decoder, not a JWT encoder — it reads and validates existing tokens rather than minting new ones.