Decode, Validate & Analyze JSON Web Tokens
A powerful tool for decoding and analyzing JSON Web Tokens (JWT). Inspect token headers, payloads, and signatures with real-time validation and expiration tracking.
The JWT Decoder provides a comprehensive interface for analyzing JSON Web Tokens. Whether you're debugging authentication issues, verifying token contents, or learning about JWT structure, this tool has you covered.
Tip: Use the "Load Sample Token" button to see an example JWT and explore all the features of the tool.
The token input section provides a clean interface for pasting and managing your JWT input.
Paste your JWT token into the textarea. The token will be automatically decoded as you type or paste.
Quick actions for common operations:
JWTs consist of three parts separated by dots: Header·Payload·Signature
Real-time validation feedback helps you quickly understand the state of your JWT.
The token is properly formatted and has not expired. All claims can be read and analyzed.
The token structure is valid but the expiration time (exp) has passed. The token should not be accepted.
The token does not match the expected JWT format. Check that it has exactly three parts separated by dots.
The overview section provides quick insights into the most important aspects of your JWT.
The cryptographic algorithm used to sign the token:
HS256, RS256, ES256, etc.Time remaining until the token expires:
2d 5h, 1h 30m, Expired, etc.The entity that issued the token (iss claim):
example.com, auth0, etc.The principal that is the subject of the token (sub claim):
user_id, email, etc.The JWT Decoder performs comprehensive validation of standard claims and checks for security issues in your token's algorithm.
Analyzes the signing algorithm for security vulnerabilities:
Validates all standard JWT claims:
Security Recommendation
Always verify tokens using signature verification, not just by decoding them. A valid-looking token may have been tampered with if the signature cannot be verified.
Verify the authenticity of JWTs by checking their cryptographic signature against your secret key or public key.
For HS256, HS384, HS512 algorithms:
For RS256, ES256, and other asymmetric algorithms:
Key Format Tips
For RSA/ECDSA keys, ensure your public key is in the correct format (PEM or Base64). The key must match the private key used to sign the token.
The JWT Decoder displays three decoded sections in a tabbed interface: Header, Payload, and Signature.
Contains metadata about the token:
Contains the claims (statements about the entity):
The cryptographic signature:
Standard JWT Claims
The payload may contain registered claims (iss, sub, aud, exp, iat, nbf), public claims (registered with IANA), or private claims (custom for your application).
Export decoded JWT data in multiple formats for use in your applications. Generate ready-to-use code snippets or structured data.
Structured JSON with header, payload, and signature. Configurable indent size (2 or 4 spaces).
Ready-to-use JavaScript code for decoding JWTs in browser or Node.js environments.
Type-safe TypeScript code with interfaces for header and payload. Includes type definitions.
Python code snippet using base64 and json modules. Works with Python 3.x.
Generate cURL commands with Bearer token authentication. Supports GET, POST, PUT, PATCH, DELETE.
JSON Export Options
When exporting as JSON, you can choose to include or exclude the header and signature sections, and select your preferred indent size.
Create and generate new JWTs with custom claims. Perfect for testing, development, or creating test tokens for your applications.
Choose from HMAC algorithms:
Enter your secret key to sign the token:
Add any custom claims to your JWT:
After generating a token:
Quick Workflow
Generate a token, then click "Copy & Decode" to automatically copy the token and have it decoded in the main input area for further analysis.
JWT is decoded instantly as you paste or type, with no need to click a decode button.
Automatically calculates and displays time remaining until expiration with live updates.
Visual indicators show whether the token is valid, expired, or has invalid format.
One-click copy buttons for the token, header, payload, and signature sections.
Load a sample JWT to explore all features and understand the token structure.
Header and payload are displayed as pretty-printed JSON for easy reading.
Validates standard claims (exp, iat, nbf, iss, aud) and checks algorithm security for vulnerabilities.
Verify token authenticity using secret keys (HMAC) or public keys (RSA/ECDSA) in PEM or Base64 format.
Export decoded data as JSON, JavaScript, TypeScript, Python, or cURL commands with Bearer token.
Create and generate new JWTs with custom claims. Support for standard and custom claims with multiple data types.
Automatic detection of deprecated or weak algorithms with security warnings and recommendations.
Download exported code as files or copy to clipboard. Generate ready-to-use API requests with cURL.
When authentication fails, decode the JWT to check if the token is valid, expired, or contains incorrect claims.
Examine the contents of a JWT to understand user identity, permissions, and token metadata.
Review tokens for security issues like overly long expiration, weak algorithms, or sensitive information in payload.
Verify that tokens generated by your auth system contain the expected claims and values.
New to JWT? Use the tool to explore sample tokens and understand the header, payload, and signature format.
When working with APIs that use JWT authentication, decode tokens to debug request issues.