JWT Decoder

A JSON Web Token is a compact, URL-safe string that carries digitally signed claims like user ID and expiry time in its header, payload, and signature parts.

If you want to learn everything there’s to know about JWT, you can do so with our dedicated JWT Crash Course.

• Real-time Decoding: Instantly decode and validate the given JWT token as you type or paste.
• Signature Verification: Validate JWT signatures using HMAC-SHA256 algorithm.
• Base64 Support: Automatically detects and handles both standard and URL-safe Base64 encoding.
• Secure Processing: All operations are performed client-side for maximum security. Tokens aren’t transmitted over the network.
• Copy Functionality: Single-click copy-to-clipboard functionality for the decoded token.

1. Copy the entire JWT Token that you want to decode.
2. Paste your JWT token into the Token text area.
3. Review the Decoded Token section where the header and payload appear instantly.
4. Inspect the output and make sure both header and payload are decoded fully.
5. Use Copy Decoded if you need the parsed result in your clipboard.

When you are done decoding the token successfully, follow these steps:

• Enter the secret key used to sign the token in the Secret Key field.
• The tool supports both plain text and Base64-encoded secrets.
• View the validation result in the Validation Result section.
• Correct anything if needed, based on validation result, and try again.

Need to generate a new JWT token instead? Use our JWT Generator Tool.

Token Processing

• Supports standard JWT structure format: {header}.{payload}.{signature}.
• Handles URL-safe Base64 encoding by replacing - and _ with + and /.
• Automatically manages Base64 padding.

Security Features

• All processing is done client-side using the browser’s native APIs.
• Uses Web Crypto API for secure HMAC-SHA256 signature verification.
• No data is transmitted to external servers.
• No token storage or caching.

JWT Signature Verification

• Implements HMAC-SHA256 using the Web Crypto API.
• Supports both raw and Base64-encoded secret keys.
• Provides real-time validation with immediate feedback.

This JWT Decoder online tool uses modern web APIs and requires the following browser features:

• Web Crypto API
• Clipboard API
• TextEncoder
• Javascript async/await support

1. Client-Side Processing: All token processing occurs in your browser. This tool doesn’t send any data to external servers, so your tokens and secrets remain private.
2. Secret Key Handling: The tool uses the secret key only to verify signature locally on your browser. Keys are never stored or transmitted, and the tool doesn’t remember anything after you close your browser.
3. Recommended Best Practices: Do not use the JWT Decoder tool with sensitive production tokens or secrets. Use it for development, testing, and debugging, and clear browser history or cache after working with sensitive data.

We welcome any bug report, feature request, or feedback. Please contact us with as much detail as you can.

Is it safe to decode JWTs using an online tool?

Yes. This tool doesn’t store anything, neither sends to any server for processing. Everything happens right in your browser. However, it is recommended to use any such tool as this for testing and debugging purpose only.

Do I need the secret key to decode a JWT?

No, no secret key is required to be able to decode the payload from the token. But, a key is required to verify the JWT signature, either in plain text or in Base64 encoded.

What algorithms does this JWT decoder support?

For signature validation, this tool supports only “HMAC-SHA256” algorithm at this moment.

Can this tool create JWTs or just decode?

This tool only decodes and verifies signature. Checkout our JWT Generator Tool to create a new token.

What are common JWT payload claims?

There are seven standard claims for JWT as per RFC7519, including iss, sub, aud, exp, nbf, iat, and jti.