JSON Indenter
Quick Tip: Paste any JWT (eyJ…) — the decoder splits and Base64URL-decodes header, payload, and signature instantly.
Valid JWT StructureHS256
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload (Claims)
{
  "sub": "user_123",
  "name": "Jane Doe",
  "email": "[email protected]",
  "roles": [
    "admin"
  ],
  "iat": 1710000000,
  "exp": 9999999999
}
exp11/20/2286, 5:46:39 PM
iat3/9/2024, 4:00:00 PM
Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The signature is Base64URL-encoded. To verify it, use your secret or public key with a JWT library (see jwt.io/libraries).

What's Next?

JWT Encoder

Generate & sign a new JWT

JSON Validator

Validate the decoded payload

JSON Indenter

Format & beautify JSON claims

JSON to Pydantic

Build Python models from claims

JSON to Zod

TypeScript schema for JWT payload

JSON to TypeScript

Type-safe interfaces from JWT claims

JSON Path Tester

Query nested claim values

JSON Stringify

Serialize claims to string

JSON Diff

Compare two JWT payloads

JWT Decoder Online — Decode JSON Web Tokens Instantly

Paste any JSON Web Token (JWT) to instantly decode and inspect its three parts: the header, payload (claims), and signature. Our free online JWT decoder runs entirely in your browser — your token never leaves your machine. Ideal for debugging authentication flows, inspecting OAuth 2.0 access tokens, validating OpenID Connect ID tokens, and auditing JWT claims like iss, sub, exp, and aud.

  • Privacy-First: 100% client-side — no token is ever sent to a server.
  • Instant Decode: Paste a JWT and see the decoded header and payload in milliseconds.
  • Expiry Detection: exp, iat, and nbf timestamps shown in human-readable local time.
  • Works with all algorithms: HS256, RS256, ES256, PS256, and any other algorithm — the decoder only reads the header and payload, which are always Base64URL encoded.

What is a JWT? Structure of a JSON Web Token

A JSON Web Token is a compact, URL-safe means of representing claims between two parties, defined in RFC 7519. A JWT consists of exactly three Base64URL-encoded segments separated by dots:

  • Header — specifies the token type (typ: "JWT") and signing algorithm (alg: "HS256", "RS256", etc.).
  • Payload (Claims) — contains arbitrary JSON claims. Standard registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before).
  • Signature — a cryptographic signature computed over the header + payload using the secret or private key. Verifying the signature requires the key — the decoder shows the raw signature bytes for inspection.

Because the header and payload are only Base64URL-encoded (not encrypted), sensitive data must never be stored in a JWT payload unless the token is additionally wrapped in a JWE (JSON Web Encryption). Use JWTs to carry non-sensitive identity claims, not passwords or PII.

Common JWT Use Cases: OAuth 2.0, OpenID Connect & API Authentication

JWTs are the backbone of modern web authentication. Understanding how to decode JWT tokens online is an essential skill for any backend or full-stack developer:

  • OAuth 2.0 Access Tokens: Providers like Auth0, Okta, AWS Cognito, and Google issue JWTs as access tokens. Decoding them reveals scopes, user ID, and token lifetime.
  • OpenID Connect ID Tokens: ID tokens carry the authenticated user's identity claims (email, name, picture) signed by the authorization server.
  • API Gateway Authorization: AWS API Gateway, Kong, and Nginx all support JWT validation middleware. Paste a token here to verify claims without hitting the server.
  • Microservices & Service Mesh: Internal services pass JWTs for service-to-service authentication (e.g., in Kubernetes with Istio or Envoy). Decode tokens to debug 401/403 errors.
  • Firebase & Supabase Auth: Both platforms use JWTs for session management. Inspect firebase:sign_in_provider or Supabase role claims directly.

Decode JWT in JavaScript, Python & Go

While our online JWT decoder is perfect for quick inspection, here are the standard libraries for programmatic JWT decoding in popular languages:

JavaScript / Node.js

// npm install jsonwebtoken
const jwt = require('jsonwebtoken');

// Decode without verification
const decoded = jwt.decode(token);

// Decode & verify signature
const verified = jwt.verify(
  token,
  process.env.JWT_SECRET
);

Python

# pip install PyJWT
import jwt

# Decode without verification
claims = jwt.decode(
  token,
  options={"verify_signature": False}
)

# Decode & verify
claims = jwt.decode(
  token,
  secret,
  algorithms=["HS256"]
)

Go

// go get github.com/golang-jwt/jwt/v4
import "github.com/golang-jwt/jwt/v4"

token, err := jwt.Parse(
  tokenStr,
  func(t *jwt.Token) (any, error) {
    return []byte(secret), nil
  },
)
claims := token.Claims
  (jwt.MapClaims)

JWT Security Best Practices: What to Check When Decoding

When you parse a JWT token, always verify these security-critical claims:

  • exp (Expiration): Never accept expired tokens. Our decoder highlights expired tokens automatically.
  • aud (Audience): Confirm the token was issued for your service. Accepting tokens issued for other audiences is a critical security vulnerability (OWASP Top 10).
  • iss (Issuer): Validate the token was signed by a trusted authority, not a malicious third party.
  • alg (Algorithm): Never accept alg: "none" — this disables signature verification and is a known attack vector.
  • Scope / Roles claims: Inspect custom claims like roles, scope, or permissions for proper authorization enforcement.

JWT Decoder Reference

Registered JWT Claims (RFC 7519)

ClaimNameDescription
issIssuerWho created and signed the token
subSubjectPrincipal (usually user ID)
audAudienceIntended recipient(s)
expExpirationUnix timestamp — token expires
iatIssued AtUnix timestamp — token created
nbfNot BeforeToken not valid before this time
jtiJWT IDUnique identifier (prevents replay)

Signing Algorithms

HS256 / HS384 / HS512HMAC + SHA

Symmetric — same secret for sign & verify. Used in server-to-server auth.

RS256 / RS384 / RS512RSA + SHA

Asymmetric — private key signs, public key verifies. Common in OAuth/OIDC.

ES256 / ES384 / ES512ECDSA + SHA

Elliptic curve — smaller tokens than RSA, similar security.

PS256 / PS384 / PS512RSASSA-PSS

Probabilistic RSA — recommended over RS256 for new systems.

none⚠️ Danger

Unsigned token. NEVER accept in production — a critical security vulnerability.

Sample Decoded JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "email": "[email protected]",
  "roles": ["admin"],
  "iat": 1710000000,
  "exp": 1710086400
}

Signature

HMACSHA256(
  base64UrlEncode(header)
  + "."
  + base64UrlEncode(payload),
  your-256-bit-secret
)

Frequently Asked Questions

Is my data safe with this JSON tool?

Yes. This tool uses 100% client-side processing. Your JSON data never leaves your browser and is never sent to our servers, ensuring maximum privacy and security.

Does this tool work offline?

Once the page has loaded, all processing happens locally in your browser. You can disconnect from the internet and the tool will continue to work — no server connection is required to format, validate, or convert your JSON.

Is there a file size limit?

No server-side limits apply because everything runs in your browser. Practical limits depend on your device's memory, but modern browsers handle JSON files of tens of megabytes without issue.

Is it safe to paste my JWT token into this decoder?

Yes. This JWT decoder runs 100% client-side using JavaScript in your browser. Your token is never sent to any server or stored anywhere. The Base64URL decoding happens entirely on your machine. That said, avoid pasting tokens that grant access to sensitive production systems when you're on a shared or untrusted computer.

What does "Invalid Signature" mean in a JWT decoder?

A JWT decode tool can only read the header and payload — it cannot verify the signature without the secret key. This tool shows the raw signature for inspection. To verify integrity, use a server-side library like jsonwebtoken (Node.js) or PyJWT (Python) with the correct secret or public key.

Why does my JWT show as expired?

The "exp" (expiration) claim is a Unix timestamp. Your JWT shows as expired if the current time is past that timestamp. In production, request a new token from your authorization server. For testing, use the JWT Encoder to generate a token with a future expiration.

What are the three parts of a JWT token?

A JWT has three Base64URL-encoded parts separated by dots: (1) Header — contains the algorithm (alg) and token type (typ); (2) Payload — contains the claims (sub, iss, exp, custom data); (3) Signature — a cryptographic hash of header + payload using the signing key. The header and payload are readable by anyone; only the signature provides integrity guarantees.

Can I decode a JWT without the secret key?

Yes! The header and payload of a JWT are only Base64URL-encoded, not encrypted. Anyone can decode and read them. The secret or private key is only needed to VERIFY the signature (i.e., confirm the token was not tampered with). This is why you should never put sensitive information like passwords in the JWT payload.

Related Reading

Is My JSON Valid? A Guide to Validation

Validate JSON data with syntax & schema validation. Ensure RFC 8259 compliance, prevent runtime errors, and secure your data processing.

JSON for AI Function Calling: A Practical Guide

Master how to format JSON schemas to reliably trigger function calling in OpenAI, Claude, and Gemini APIs.

JSON Formatting Best Practices for 2026

Learn the latest JSON formatting best practices. Improve readability, standardize API responses, and enforce linting rules across your team.

Why Client-Side Parsing Matters for Security

Learn why client-side JSON parsing protects sensitive data. Discover how local processing prevents data breaches and ensures privacy compliance.