JWT Decoder & Validator (Parse JSON Web Tokens Online)
JSON Web Tokens (JWT) are widely used for authentication. Paste your encoded token below to securely decode it and inspect the underlying JSON payload and header algorithms. All decoding runs entirely client-side using native JavaScript API, keeping your sensitive tokens safe.
100% Private & Secure
This tool runs completely inside your browser using client-side WebAssembly and JS. Zero data is ever sent to our servers.
How to use this tool
- Paste your full encoded JWT string (which consists of three parts separated by dots: header.payload.signature) into the input box.
- The tool will instantly parse the Base64Url encoded string.
- The decoded JSON Header and Payload will appear in the specific colored boxes below.
Example Usage
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }When to use this tool
- Debugging authentication flow issues in your REST or GraphQL backend.
- Verifying the contents and expiration timestamp (exp claim) of an access token.
- Checking which hashing algorithm (e.g., RS256 or HS256) a token was signed with.
Frequently Asked Questions
How does the browser decode the JWT payload?
JWTs use a modified format called Base64Url encoding. Our tool dynamically converts the Base64Url format back into standard Base64 by padding it and replacing URL-safe characters (- and _), and then uses the native browser atob() function to securely decode it into readable JSON.
Is it safe to paste my production JWT here?
Yes. Unlike many server-side developer tools that log or store your input, this decoder is 100% client-side. The network tab in your browser's Developer Tools will confirm that your token never leaves your local machine.
Can this tool verify the signature of my token?
No. Signature verification requires the private key or shared secret that only your backend server possesses. This tool focuses strictly on safely decoding the public header and payload claims for debugging purposes.
What does the 'iat' or 'exp' claim in the payload mean?
Both represent Unix timestamps. 'iat' stands for 'Issued At', marking exactly when the token was generated by the server. 'exp' stands for 'Expiration Time', which is the exact moment the token becomes invalid and requires the user to re-authenticate.
Why does my token throw an 'Invalid JWT Format' error?
A valid JWT must have exactly three segments separated by two periods (header.payload.signature). If your token is missing a segment, or if you accidentally copied a trailing space or quotation mark, the decoding will fail.