JWT Decoder

Need to decode a JWT token quickly? You’re in the right place. This free online JWT Decoder lets you paste any JSON Web Token to instantly see its header and payload, and even verifies the signature for you – all right in your browser.

Need to generate a new JWT token instead? Use our JWT Generator Tool!

What is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe string that carries digitally signed claims (like user ID and expiry time) in its header, payload, and signature parts.

If you want to learn everything there’s to know about JWT, you can do so with our dedicated JWT Crash Course

JWT Decoder Tool Features

• Real-time Decoding:
  • Instantly decode and validate the given JWT token as you type or paste
• Signature Verification:
  • Validate JWT signatures using HMAC-SHA256 algorithm
• Base64 Support:
  • Automatically detects and handles both standard and URL-safe Base64 encoding
• Secure Processing:
  • All operations are performed client-side for maximum security. Tokens aren’t transmitted over the network.
• Copy Functionality:
  • Single-click “copy to clipboard” functionality for the decoded token.

How to Decode a JWT Token

1. Decode a Token:
   • Copy the entire JWT Token that you want to decode.
   • Paste your JWT token into the “Token” text-area
   • The JWT Decoder tool will parse it and the header + payload will appear instantly in the “Decoded Token” section
   • Inspect the output to make sure both header and payload is decoded. If any of them hasn’t been decoded, make sure you copied the entire token properly.
2. Copy Results:
   • Click the “Copy Decoded” button to copy the decoded token information to your clipboard
   • Visual feedback confirms successful copying.

How to Verify a JWT Signature

When you done decoding the token successfully as per instruction above, follow these steps:

• Enter the secret key used to sign the token in the “Secret Key” field
• The tool supports both plain text and Base64-encoded secrets
• View the validation result in the “Validation Result” section
• Correct anything if needed, based on validation result and try again.

JWT Decoder Technical Details

Token Processing

• Supports standard JWT structure format ({header}.{payload}.{signature})
• Handles URL-safe Base64 encoding (replacing - and _ with + and /)
• Automatically manages Base64 padding

Security Features

• All processing is done client-side using the browser’s native APIs
• Uses Web Crypto API for secure HMAC-SHA256 signature verification
• No data transmitted to external servers
• No token storage or caching

JWT Signature Verification

• Implements HMAC-SHA256 using the Web Crypto API
• Supports both raw and Base64-encoded secret keys
• Real-time validation with immediate feedback

Browser Compatibility

This JWT Decoder online tool uses modern web APIs and requires the following browser features:

• Web Crypto API
• Clipboard API
• TextEncoder
• Javascript async/await support

Security Considerations

1. Client-Side Processing:
   • All token processing occurs in your browser
   • This tool doesn’t send any data to external servers
   • Your tokens and secrets remain private
2. Secret Key Handling:
   • The tool uses the secret key only to verify signature locally on your browser.
   • Keys are never stored or transmitted
   • The tool doesn’t rememer anything after you close your browser.
3. Recommended Best Practices:
   • Do not use the JWT Decoder tool with sensitive production tokens and/or secrets
   • Clear your browser history/cache after working with sensitive data
   • Use only for development, testing and debugging purposes

Feedback

We welcome any bug report/feature request/feedback. Please contact us with as much details as you can.

JWT Decoder FAQs(Frequently Asked Questions)