JWT Debugger

Decode JWT header, payload, and signature. Shows expiry status, algorithm, and time-based claims with human-readable dates.

Paste a JWT token above to inspect it

Decoding happens entirely in your browser: no data is sent anywhere

What is a JWT and why decode it?

JSON Web Tokens (JWTs) are a compact, URL-safe format for transmitting claims between parties as a JSON object. They are commonly used for authentication tokens, API access tokens, and single sign-on sessions. While JWTs look like random strings, they contain structured data that can be decoded without a secret key.

Decoding a JWT is useful during development and debugging: you can inspect which claims are present, verify that expiry times are set correctly, check which algorithm is being used, and understand what data the server is receiving. This tool decodes all three parts of a JWT and presents the claims in a readable format with expiry status and human-relative time labels.

Step-by-step guide

  1. 1
    Paste your JWT token
    Copy a JWT token from your application, API response, or browser devtools and paste it into the input field.
  2. 2
    View the colour-coded token
    The header (red), payload (teal), and signature (amber) segments are highlighted so you can identify the three parts.
  3. 3
    Inspect the header
    The decoded JSON header shows the algorithm (alg) and token type (typ), along with any custom claims.
  4. 4
    Read the payload claims
    View all payload claims including subject (sub), issuer (iss), audience (aud), and custom data. Time claims are shown in ISO format with a relative human-readable offset.
  5. 5
    Check expiry status
    The tool automatically determines if the token is Valid, Expired, Not Yet Valid, or has No Expiry based on the exp and nbf claims.

Related Tools

Frequently Asked Questions

Is this tool safe to use with production JWTs?
Yes. Decoding happens entirely in your browser: no token data is sent to any server. However, as a best practice, avoid pasting tokens with sensitive user data in untrusted environments.
What are the three parts of a JWT?
A JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims/data), and the signature (cryptographic proof of authenticity).
Can this tool verify the JWT signature?
No. Signature verification requires the secret key or public key used to sign the token, which only the issuing server should possess. This tool decodes the header and payload for inspection only.
What is the 'exp' claim?
The 'exp' (expiration time) claim is a Unix timestamp specifying when the token should be considered expired. Tokens past their expiration time should be rejected by the server.
What does 'Not Yet Valid' mean?
This status appears when the JWT has an 'nbf' (not before) claim set to a time in the future. The token is structurally valid but should not be accepted until the nbf time is reached.
What algorithms does JWT support?
JWTs can use symmetric algorithms (HS256, HS384, HS512 using HMAC), asymmetric algorithms (RS256, RS384, RS512 using RSA; ES256, ES384, ES512 using ECDSA), and none (unsigned, not recommended for production).
What is the difference between JWT and a session cookie?
Session cookies store a session ID that is looked up in a server-side database on each request. JWTs are self-contained: the server can validate them without a database lookup, making them suitable for stateless microservices and APIs.
Why does my JWT payload show Unicode characters as escaped?
JWT payloads use Base64URL encoding which preserves non-ASCII characters. The decoded JSON is displayed as-is, so Unicode characters should appear correctly in the payload panel.
Can I decode a JWT from a mobile app or third-party service?
Yes, as long as you have the JWT string. JWTs from any issuer (Auth0, Firebase, AWS Cognito, custom servers) follow the same three-part format and can be decoded by this tool.

AlteredIdea vs alternatives

vs server-side tools: Everything runs in your browser: your data never leaves your device.

vs command-line tools: No setup needed. Works instantly in any browser.

vs paid tools: Completely free, no account required.