JWT Decoder & Debugger
Decode and inspect JWT tokens online — view header, payload claims, and expiry status. Your token never leaves your browser. Supports HS256, RS256, and all common algorithms.
About the JWT Decoder & Debugger
The DevToolHeaven JWT Decoder instantly decodes JSON Web Tokens and displays the header, payload, and signature in a clear three-panel layout. Each claim in the payload is shown with its human-readable description, and timestamp claims like exp and iat are automatically converted to readable date and time.
The expiry status is checked automatically — tokens are highlighted green when valid, amber when expiring within 5 minutes, and red when already expired. This makes it easy to debug authentication issues and inspect token contents during development without writing any code.
A JSON Web Token consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims — the actual user data), and the signature. The header and payload are only encoded, not encrypted — anyone who has the token can read them. Only the signature proves the token was issued by a trusted source and has not been tampered with.
Standard JWT claims include sub (subject / user identifier), iss (issuer), aud (audience), exp (expiration Unix timestamp), iat (issued at), and nbf (not before). Applications add custom claims for their own needs — common examples include role, scope, email, name, and tenant ID. This decoder shows human-readable descriptions for all registered standard claims alongside the raw value.
Never paste production JWT tokens containing sensitive user data into tools you do not fully trust. This decoder processes everything client-side and sends nothing to a server, but for the most sensitive tokens, decode locally using a library like jsonwebtoken (Node.js) or PyJWT (Python).
All decoding happens entirely in your browser using the atob() function and Base64URL decoding. Your JWT tokens are never sent to any server — they never leave your device.
Frequently Asked Questions
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a header containing the algorithm, a payload containing claims (user data), and a signature for verification.
Yes — this tool decodes JWTs entirely in your browser. No token data is sent to any server. However, be aware that JWTs may contain sensitive user information in their payload. Only paste tokens from development or testing environments, or tokens that have already expired.
JWT signatures are verified using a secret key (for HMAC algorithms like HS256) or a public key (for RSA/EC algorithms like RS256). This client-side tool does not have access to your secret or public key, so it can only decode the token contents. Signature verification must be done server-side.
The exp (expiration time) claim is a Unix timestamp indicating when the token expires. This tool automatically detects the exp claim, converts it to a human-readable date and time, and shows whether the token is still valid, expiring soon, or already expired.
Standard registered claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration), iat (issued at), nbf (not before), and jti (JWT ID). Applications also add custom claims like name, email, role, and scope. This tool shows descriptions for all standard claims.
HS256 (HMAC-SHA256) uses a single shared secret key for both signing and verification — simpler but requires sharing the secret. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — more secure for distributed systems where many services need to verify tokens without access to the signing key.
No — signature verification requires your secret key (for HS256) or the issuer's public key (for RS256/ES256). This tool decodes the header and payload, which are Base64URL-encoded and publicly readable. For signature verification, use jsonwebtoken in Node.js, PyJWT in Python, or the official jwt.io debugger which supports pasting keys.
These are the signing algorithms declared in the JWT header. HS256 (HMAC-SHA256) uses a single shared secret — fast but both parties must know the secret. RS256 (RSA-SHA256) uses a public/private key pair — the issuer signs with the private key and anyone can verify with the public key. ES256 (ECDSA-SHA256) works like RS256 but uses smaller, more efficient elliptic curve keys. RS256 and ES256 are preferred for distributed systems.
A JWT payload is Base64URL-encoded. To decode it without a library: const payload = JSON.parse(atob(token.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"))). For production use, the jsonwebtoken library (Node.js) or jose library (browser/Node.js) handle decoding, validation, and signature verification properly.
A 401 error typically means the JWT is missing, expired, or has an invalid signature. Paste your token here to check: if the exp claim shows the token is expired, request a new one. If the token looks valid but you still get 401, the issue is likely a signature mismatch — the server secret or public key does not match the one used to sign the token.
Access tokens are typically valid for 15 minutes to 1 hour. Short expiry limits damage if a token is stolen. Refresh tokens (long-lived, stored securely) are used to obtain new access tokens without requiring login again. Never set access token expiry longer than 24 hours. Check the exp claim in your token here to see its current expiry.
An access token is short-lived (minutes to hours) and sent with every API request in the Authorization header. A refresh token is long-lived (days to weeks), stored securely (httpOnly cookie), and used only to obtain a new access token when the current one expires. Refresh tokens are not decoded by this tool — they are opaque strings that only the auth server understands.