FlowToolkit
Dev

JWT Decoder

Decode JWT headers, payloads, claims, and signatures locally.

Loading tool…

About this tool

Paste a JSON Web Token to decode its header and payload, inspect registered claims such as issuer, subject, audience, issued-at, not-before, and expiration, and copy each decoded section. Decoding runs entirely in your browser and does not verify the token signature.

A JSON Web Token is just three Base64 pieces

JWTs look intimidating, but their structure is simple: three URL-safe Base64 strings joined by dots. The first is the header (algorithm and token type), the second is the payload (the claims), and the third is the signature. Decoding the first two pieces is trivial — and that is exactly what this tool does, locally in your browser.

Decoding is not the same as verifying. A decoded JWT shows you what the token claims to be; verification requires checking the signature against the secret or public key. This tool does the safe, common operation of inspecting tokens during development without ever asking for your keys.

Registered claims explained

  • iss — issuer. The party that created the token.
  • sub — subject. Usually the user or principal the token represents.
  • aud — audience. The intended recipient (often an API URL).
  • exp — expiration. Unix timestamp after which the token is invalid.
  • nbf — not before. The token is invalid before this timestamp.
  • iat — issued at. The timestamp when the token was created.
  • jti — JWT ID. A unique identifier for revocation lists.

When you would use it

During API development, when debugging a 401 response and you want to confirm what the token actually contains. During incident response, when an expired token is rejecting users and you need to read the exp claim. During security review, when checking which audiences and scopes a token grants. The tool is read-only and local — paste any token without worrying about leaking it.

Frequently asked questions

Does this verify JWT signatures?

No. This tool decodes the token so you can inspect its contents. Signature verification requires the correct secret (for HMAC algorithms) or public key (for RSA and ECDSA algorithms).

Are tokens sent to a server?

No. The JWT is decoded locally in your browser using base64url decoding and JSON parsing. Even sensitive tokens stay on your device.

Why are exp, iat, and nbf shown as dates?

JWT time claims are Unix timestamps in seconds since 1970. The tool converts them to readable local dates while keeping the original number visible for reference.

How do I decode a JWT?

Paste the JWT into the input field. The header, payload, and signature are decoded immediately. Registered claims like iss, sub, aud, exp, nbf, iat, and jti are highlighted with their meanings.

What does the JWT header contain?

The header contains the algorithm (alg) and token type (typ). Common algorithms include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA P-256).

Is it safe to paste a real JWT here?

The token is decoded entirely client-side and never transmitted. That said, JWTs often grant access — treat them as you would a password. If you suspect a token has been exposed, rotate it.

How can I tell if a JWT is expired?

Look at the exp claim. If the date is in the past, the token is expired. The tool displays the exp value in both Unix timestamp and local date format.