JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and signature. Verify signatures with Web Crypto API.

Works offlineNothing uploaded

JWT Token

Tokens are decoded entirely in your browser. Never share JWTs containing sensitive data.

How to use it

Paste your JWT

Enter the JWT token you want to inspect.

View decoded payload

The header and payload are decoded and displayed as formatted JSON.

Check expiration

See token claims including expiration time and issuer details.

When to use JWT Decoder

You paste a 900-line JWT response from an Okta authentication flow into jwt.io and your laptop fan kicks on. This tool decodes the token right in your browser tab — header, payload, and signature laid out side by side — using the Web Crypto API with no server call. Check the `exp` timestamp as a real date, verify the `iss` claim matches the expected issuer, and inspect which scopes and roles are actually encoded before you spend an hour debugging permissions. Nothing you decode leaves this tab, which matters: a valid JWT can be replayed immediately, so pasting one into a third-party tool carries real risk. Decode it here, check what you need, move on.

Verify the issuer and expiry of an Okta token during an auth debugging session
Check which scopes are encoded before filing a permissions bug report
Inspect a Cognito token without sending it to an external decoder

About this tool

Debugging an auth issue and you need to know what's actually inside a JWT — who issued it, when it expires, what claims it carries? Paste the token and see the header, payload, and signature decoded side by side. Inspect expiry timestamps as readable dates, check the algorithm, verify the issuer claim without firing up a console. Optionally verify the signature against a public key using the Web Crypto API. Your token never leaves this browser tab — no server receives it, which matters because a valid JWT can be replayed. Decode, inspect, move on.

Frequently asked

Is this JWT decoder private? Does it send my token to a server?

No. Decoding runs on your computer with JavaScript and the Web Crypto API — your tokens never leave your device, which matters since JWTs often contain sensitive claims.

Can this tool verify JWT signatures?

The tool decodes and displays the header, payload, and signature. Full cryptographic verification is shown for informational purposes using the Web Crypto API when applicable.

What JWT algorithms are supported?

The decoder works with any JWT regardless of algorithm (HS256, RS256, ES256, etc.) since it decodes the Base64 payload without needing the secret key.

What do the timestamps mean in a JWT?

Common timestamp fields: 'iat' is when the token was issued, 'exp' is when it expires, and 'nbf' is the earliest time it can be used. These are Unix timestamps (seconds since Jan 1, 1970).

Related tools

JSON Formatter

Paste messy JSON — get it beautifully formatted, validated, and unescaped. Runs entirely in your browser.

XML Formatter

Format or minify XML with syntax highlighting — right in your browser. Validates structure and highlights errors.

YAML Formatter

Format, validate, and convert YAML — right in your browser. Paste messy YAML and get it beautified with error highlighting.

Code Minifier

Minify HTML, CSS, and JavaScript — right in your browser. See original vs minified size with percentage reduction.

Base64 Encoder/Decoder

Encode text or files to Base64, or decode Base64 back — right in your browser. Supports text and file mode.

URL Encoder/Decoder

Encode or decode URLs and query strings — right in your browser. Uses encodeURIComponent and decodeURIComponent.

PDF Converter

Convert between PDF and image formats right in your browser. JPG to PDF, PNG to PDF, WebP to PDF, PDF to JPG, PDF to PNG.

PDF to Text

Extract all text content from a PDF — right in your browser. Copy to clipboard or download as a .txt file.