Decode and inspect JSON Web Tokens (JWT) without verification. Essential for debugging authentication issues and understanding token contents.

Decode JWT

Common Use Cases

  • Authentication Debugging: Inspect tokens from OAuth/OIDC flows
  • API Integration: Understand what claims are in your access tokens
  • Token Expiration: Check when tokens expire (exp claim)
  • User Identity: See user information embedded in tokens
  • Scope Analysis: Review granted permissions and scopes
  • Development: Debug authentication flows during development

JWT Structure

A JWT consists of three parts separated by dots:

Lang: 
header.payload.signature

  1. Header: Token type and signing algorithm

    Lang: json 
    1{
2  "alg": "HS256",
3  "typ": "JWT"
4}

  2. Payload: Claims (user data, expiration, etc.)

    Lang: json 
    1{
2  "sub": "user123",
3  "name": "John Doe",
4  "iat": 1516239022,
5  "exp": 1516242622
6}

  3. Signature: Cryptographic signature for verification

Common Claims

  • iss (Issuer): Who created the token
  • sub (Subject): User identifier
  • aud (Audience): Intended recipient
  • exp (Expiration): When token expires (Unix timestamp)
  • iat (Issued At): When token was created (Unix timestamp)
  • nbf (Not Before): Token not valid before this time
  • jti (JWT ID): Unique token identifier

Important Notes

  • ⚠️ This tool only DECODES tokens - it does NOT verify signatures
  • Never paste production tokens into public online tools
  • JWTs are not encrypted - they are only Base64 encoded
  • Anyone can decode a JWT and read its contents
  • The signature prevents tampering, not reading
  • Expired tokens can still be decoded (but won’t be accepted by servers)