Tool Fu
$ toolfu run jwt-decoder

JWT Decoder — Decode JSON Web Tokens Online

Free online JWT decoder. Decode and inspect JSON Web Tokens instantly. View header, payload, claims, and expiration — no data sent to any server.

all processing runs in your browser
jwt-decoder
input > paste token
valid
decoded header
{
"alg": "HS256",
"typ": "JWT"
}
decoded payload
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022 // Jan 18, 2018, 1:30:22 AM
}
signature
KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

verification requires the signing key — never paste secrets into a web tool

Decode JWT Tokens — Private and Instant

JSON Web Tokens (JWTs) are the standard way to handle authentication in modern web applications. When you're debugging an API, troubleshooting login issues, or inspecting token claims, you need to decode the JWT to see what's inside. Most online JWT decoders send your token to a server — this one doesn't.

This tool decodes your JWT entirely in the browser. It splits the token into its three base64url-encoded parts (header, payload, and signature), decodes the header and payload as JSON, and displays them in a readable format. Timestamp claims like exp, iat, and nbf are automatically converted to human-readable dates so you can quickly check if a token has expired.

How JWT tokens work

A JWT is made up of three parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g., HS256, RS256). The payload contains the claims — data like the user ID, email, roles, and expiration time. The signature is a cryptographic hash that allows the server to verify the token hasn't been tampered with.

When to use this decoder

  • Debugging authentication issues in your API
  • Checking if a token has expired before making a request
  • Inspecting the claims and roles embedded in a token
  • Verifying the algorithm and key ID in the header
  • Learning how JWTs are structured
$ cat FAQ.md
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications. A JWT consists of three parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature.
Is my token sent to a server?
No. This decoder runs entirely in your browser using JavaScript. Your JWT never leaves your device. The token is decoded locally by splitting on the dot separator and base64url-decoding each part. There is no network request involved.
Can this tool verify JWT signatures?
This tool decodes and displays the JWT contents but does not verify the cryptographic signature. Signature verification requires the signing key (secret or public key), which should never be entered into a web tool. Use this tool to inspect token contents, check expiration, and debug claims.
What do the exp, iat, and nbf claims mean?
These are standard JWT timestamp claims. 'exp' (expiration time) is when the token expires. 'iat' (issued at) is when the token was created. 'nbf' (not before) is the earliest time the token should be accepted. All are Unix timestamps (seconds since January 1, 1970).