What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token used to securely transmit information between parties as a signed JSON object. It has three Base64URL-encoded parts: Header (algorithm & type), Payload (claims/data), and Signature. JWTs are widely used for authentication and authorisation in REST APIs and web apps.

How do I decode a JWT token online?

Paste your JWT token into the left input panel. The tool decodes it instantly — no button click. The right panel shows the Header, Payload, and Signature with all claims labelled in human-readable form, expiry status badge, and timestamps in IST.

Is it safe to paste my JWT token here?

Yes — this tool is 100% browser-side. Your token is never sent to any server. Decoding and signature verification happen entirely in JavaScript using the Web Crypto API. However, never share production JWTs with others as they grant access to your account.

What are standard JWT claims and what do they mean?

Standard claims include: iss (issuer — who created the token), sub (subject — user ID), aud (audience), exp (expiration Unix timestamp), nbf (not-before time), iat (issued-at timestamp), jti (unique JWT ID). Custom claims like name, email, roles are added by your application.

Can this tool verify JWT signatures?

Yes, for HMAC algorithms (HS256, HS384, HS512) go to the Verify tab and paste your secret key. This runs 100% in your browser via the SubtleCrypto API. For RSA (RS256) and ECDSA (ES256) algorithms, asymmetric verification requires a public key and is not supported browser-side.

What does "Token Expired" mean and how do I fix it?

The exp claim contains a Unix timestamp. If the current time is past that timestamp, the token is expired and your API returns 401 Unauthorized. Re-authenticate with your login endpoint to get a fresh token.

What is the "alg: none" security warning?

The "none" algorithm means the JWT has no signature — it is completely unsigned. Anyone can forge a token with alg:none to bypass authentication. Never accept alg:none tokens in your API. This tool shows a critical red warning when it detects insecure algorithms.

🔑

JWT Token Decoder — Decode Bearer Tokens Online

Decode · Inspect · Verify · Generate JSON Web Tokens — expiry countdown, security warnings, HS256 verify — 100% browser-side

Ctrl+Enter = Re-decode

JWT TOKEN INPUT

📂

0 B

🔑

Paste a JWT to decode

Supports HS256 · RS256 · ES256 · All JWT types

Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy output1 Decoded2 Raw3 VerifyP Pin

💡

Bearer tokens are the most common form of JWT in production APIs — sent as Authorization: Bearer eyJ... in HTTP headers. This decoder automatically strips the "Bearer " prefix so you can paste the full header value directly. It shows the decoded header algorithm, all payload claims, expiry status, and security warnings in a clean three-section layout.

📌 Bearer Token Decode

Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Im15LWtleS0xIn0.eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIl19.sig

Bearer prefix stripped · Header: RS256, kid=my-key-1 · Payload: sub, email, roles=[admin] · Valid token

JWT Token Decoder — Decode Bearer Tokens Online

What is a JWT Decoder?

JWT Structure — How It Works

Frequently Asked Questions

What is a Bearer token?

Why does my JWT have three dots?

Can I use this tool with Firebase Auth tokens?

What is the kid claim in the JWT header?

How do I get the raw JWT from my browser's localStorage?