JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts: header, payload, and signature.

Is it safe to decode JWT tokens online?

Our JWT debugger runs entirely in your browser. Your tokens never leave your device, making it safe to decode and inspect JWT tokens without security concerns.

What information can I see in a decoded JWT?

A decoded JWT shows the header (algorithm and token type), payload (claims like issuer, subject, expiration), and the signature used to verify the token.

← Tools

Security

JWT Debugger

Decode and inspect JSON Web Tokens instantly. Header, payload, and signature shown separately. Nothing leaves your browser.

JWT Token

Header

Token header will appear here

Payload

Payload claims will appear here

Signature

Signature will appear here

JWT Structure

A JWT has three Base64url-encoded parts separated by dots: header.payload.signature. Defined in RFC 7519. See also: jwt.io introduction.

The header names the algorithm. The payload carries claims. The signature lets the server verify both haven't been tampered with. Read more: JWT Token Debugging and Security Analysis. Encode or decode the raw parts with the Base64 Encoder.

Common Claims

iss — issuer
sub — subject (user ID)
aud — audience
exp — expiry (Unix timestamp). Convert it with the Timestamp Converter.
iat — issued at
jti — unique token ID. Generate a hash ID with the Hash Generator.

Security Tips

The payload is encoded, not encrypted — never put secrets in it
Always transmit JWTs over HTTPS. URL-encode tokens in query strings with the URL Encoder.
Keep expiry (exp) short-lived
Use RS256 or ES256 for production (asymmetric keys)
Store in httpOnly cookies, not localStorage

How to Use the JWT Debugger

Paste your JWT token

Paste the full token — three dot-separated parts — into the left panel. The tool accepts tokens from any auth system.

Inspect the header

The Header section shows the algorithm (e.g. HS256, RS256) and token type decoded instantly.

Read the payload claims

The Payload section lists all claims. Timestamp fields like exp and iat are automatically converted to human-readable UTC dates.

Copy any section

Click Copy next to Header, Payload, or Signature to copy that decoded part to your clipboard.

Frequently Asked Questions

Can this tool verify a JWT signature?

No — signature verification requires the secret or public key, which you should never paste into a web tool. This tool only decodes the header and payload.

Is my token sent to a server?

No. All decoding happens in your browser using the Web Crypto API and atob(). Your token never leaves your device.

What is Base64url encoding?

It is Base64 with + replaced by -, / replaced by _, and padding removed — making it safe for use in URLs and HTTP headers. You can encode/decode Base64 directly with the Base64 tool.

Why does exp show a human-readable date?

This tool automatically converts exp, iat, and nbf claims from Unix timestamps to UTC strings so you can read them instantly.