DevTools12
VIEN
← Back to home

JWT Decoder Online — Header, Payload, Signature

Decode JWT tokens: header (alg, typ), payload (claims), signature. Formats exp/iat as readable dates + EXPIRED warning + explains common claims (iss, sub, aud, exp…).

DecodeClaimsEXP checkPrivacy
⚠️ The tool only DECODES, does NOT verify signature. Pasted tokens are not uploaded.
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
alg: HS256
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1900000000
}
exp: 3/18/2030, 12:46:40 AM
iat: 1/18/2018, 8:30:22 AM
Signature (raw)
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
📚 Common claims explained
issIssuer — entity that issued the token
subSubject — whom the token refers to (user ID)
audAudience — intended recipients
expExpiration Time — Unix timestamp when token expires
nbfNot Before — Unix timestamp before which token is invalid
iatIssued At — Unix timestamp when token was issued
jtiJWT ID — unique identifier (replay prevention)
scopeOAuth scopes granted
roleUser role / authorization level
emailUser email
nameUser display name

Why use this tool

🔒
Decoded locally

JWT tokens are NOT uploaded. Decoded via atob + JSON.parse in the browser. Safe for production tokens.

📅
EXP/IAT formatted

Unix timestamps exp/iat/nbf converted to readable dates. EXPIRED warning is clear.

📚
Claims explained

11 common claims (iss, sub, aud, scope, role…) with explanations — no need to consult the spec.

How to use

  1. 1Paste a JWT token (3 dot-separated parts).
  2. 2The tool auto-decodes header + payload + signature on paste.
  3. 3View alg, exp date, claims. Click 'Common claims explained' for reference.

What is a JWT?

JWT (JSON Web Token, RFC 7519) is a compact URL-safe format for transferring claims between systems. Structure: header.payload.signature — each part Base64url-encoded.

Header has alg (HS256, RS256…) + typ (JWT). Payload has claims (registered + custom). Signature verifies integrity using a secret or keypair.

This tool only DECODES (no signature verification) — verification needs server-side with secret/public key.

  • Decode header + payload + signature
  • Auto-format exp/iat/nbf timestamps
  • Clear EXPIRED warning
  • 11 common claims explained
  • Base64url decoding (URL-safe)
  • Pretty JSON output for header/payload
  • Copy individual fields

FAQ

Does the tool verify signatures?

No. Verification needs the server secret (HMAC) or public key (RSA/ECDSA) — unsafe on the client. Use a server-side tool or jwt.io online verifier.

Does it support encrypted JWT (JWE)?

No. Only JWS (signed) is decoded. JWE encrypts payload — needs a private key to decrypt, not appropriate for a client tool.

Can I decode alg=none JWT?

Yes. header.payload.empty_signature → header + payload decoded normally. Warning: alg=none is usually a security bug.