JSON Web Token Decoder & Inspector
Paste any JWT to instantly decode the header, payload, and signature. Inspect claims like exp, iat, and sub, and verify HMAC signatures — all client-side with no data ever sent to a server. Used by developers and security engineers to debug authentication flows.
Enter your HMAC secret key to verify the token signature client-side. Supports HS256, HS384, and HS512. Your secret never leaves the browser.
How to Use the JWT Decoder
- Paste your JWT into the input field — the "Bearer " prefix is stripped automatically.
- The Header panel shows the algorithm (
alg) and token type (typ). - The Payload panel shows all claims; timestamp fields (
exp,iat,nbf) are displayed as both Unix values and human-readable dates. - A status badge indicates whether the token is currently valid, expired, or not yet active.
- Switch to the Verify Signature tab, enter your HMAC secret, and click Verify to confirm authenticity.
- Use the per-panel Copy buttons to grab formatted JSON for logs or documentation.
Key Features
- Instant decoding of JWT header, payload, and raw signature
- Syntax-highlighted JSON display with color-coded keys and values
- Human-readable timestamp rendering for
exp,iat, andnbf - Token validity badge (valid / expired / not yet active) with elapsed time
- Bearer prefix auto-stripping
- HS256, HS384, and HS512 signature verification via SubtleCrypto API
- Per-section copy buttons for header and payload JSON
- Zero server-side processing — your token never leaves your browser
Use Cases
Debugging expired JWT tokens in production
When an API returns 401 Unauthorized, paste the token here to instantly see if exp is in the past. The badge and human-readable timestamp remove all guesswork about why a request is failing.
Inspecting JWT claims from an OAuth provider
OAuth 2.0 and OpenID Connect access tokens carry claims like sub, aud, iss, and custom scopes. This decoder lets you read every claim without writing a line of code.
Verifying HMAC signature integrity during development
If you control the signing secret, use the Verify tab to confirm a token has not been tampered with. This is useful when testing token generation in new microservices or auth libraries.
Teaching JWT structure and security concepts
JWTs are widely misunderstood — many developers assume the payload is encrypted. This tool makes it clear that the header and payload are only Base64URL-encoded and visible to anyone, reinforcing why signature verification matters.
Checking token expiration before an API call
Before making authenticated requests, paste the stored access token to confirm it is still valid. The expiration badge shows exactly how long until the token expires or how long ago it did.
FAQ's
Yes. All decoding and verification happens entirely in your browser using JavaScript. Your token is never sent to any server and never stored anywhere. You can verify this by opening browser DevTools (F12) and checking the Network tab — there are no outgoing requests containing your token.
A JSON Web Token (JWT) is a compact, URL-safe token format. It has three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims like user ID and expiration), and the signature (proof of authenticity). Decoding the first two parts requires no key — anyone can read them. Only verifying the signature requires the secret.
The decoder displays any JWT regardless of algorithm. Signature verification supports HS256, HS384, and HS512 — the HMAC-SHA family — using the browser's built-in SubtleCrypto API. RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384) require a public key and are not supported for verification in this client-side tool.
The exp (expiration) claim is a Unix timestamp. The tool compares it with the current time (Date.now() / 1000). If the expiration is in the past, the token is expired. The badge shows exactly how long ago it expired — seconds, minutes, hours, or days — so you can quickly assess how stale it is.
iat (Issued At) records the exact moment the token was created. nbf (Not Before) specifies a future time before which the token must be rejected — useful for tokens that should activate after a delay. A token with nbf in the future gets a yellow "TOKEN NOT YET VALID" badge.
Yes. The header and payload are Base64URL-encoded, not encrypted. Any tool — including this one — can decode and read them without the secret. This is by design: JWTs are meant to be readable. The signature ensures the payload has not been modified, but the claims themselves are not confidential. Never store sensitive information in a JWT payload.
Decoding reads the Base64URL-encoded header and payload — anyone can do this. Verifying recomputes the signature using the secret key and checks it matches the signature in the token. Only verification proves the token was issued by a trusted party and has not been tampered with. Never trust decoded claims for authorization without server-side verification.
HTTP Authorization headers commonly send tokens as Authorization: Bearer eyJ.... When copying from a header value or log, the "Bearer " prefix is included. The tool automatically detects and strips it so you can paste the full header value without manual editing.
Toolaroid's JWT Decoder is built for developers who debug authentication and API integrations daily. Because everything runs locally in your browser, there is no risk of leaking tokens to a third-party server — a critical concern when working with production credentials. Whether you are tracing a 401 error, auditing token claims for a security review, or teaching a junior developer how JSON Web Tokens work, this tool provides instant, clear results with no account required. Bookmark it alongside your API client and keep it in your debugging toolkit.