Debugging an OAuth / OpenID Connect login that's failing — paste the access or ID token, see what the IdP actually issued. Confirming token expiry: the tool decodes exp as a real date and flags it if it's in the past. Sanity-checking custom claims a backend is asserting (roles, permissions, tenant IDs). Reading a token your library "rejected as invalid" to see whether the issue is structural, expiry, or signature.

iss — issuer (who created the token) sub — subject (the user/account it represents) aud — audience (who should accept it) exp — expiry (Unix timestamp) iat — issued-at (Unix timestamp) nbf — not-valid-before (Unix timestamp)

A decoded JWT is NOT a verified JWT. The signature isn't checked here — that requires the issuer's public key (RSA/EC) or shared secret (HMAC). Decoded contents tell you what the token says , not whether you should trust it. Always verify on the server before honouring claims. Don't paste production tokens into anywhere. Anyone with a live JWT can impersonate the user until exp . The browser doesn't transmit it from this tool, but extensions, screen-recordings, and dev tools can. Use a fresh token from a test environment if you need to share. alg: none tokens are a known attack class. If a header has alg: none and your library accepts it, attackers can forge tokens. Reject this on the server. Time skew matters. A token's exp is checked against the verifier's clock. Servers with drift fail tokens that look valid here.

JWT Decoder

Paste a JWT to decode its header and payload. All decoding runs in your browser — tokens never leave the page.

JWT

Header

Enter input above to see the result.

Payload

Enter input above to see the result.

Signature (base64url, not verified)

Enter input above to see the result.

This tool decodes only — it does not verify the signature against a key. Treat decoded payload as untrusted until verified.

What is this for?

A JWT (JSON Web Token) is three base64url-encoded parts joined by dots: header.payload.signature. The header and payload are JSON objects you can inspect; the signature proves the token wasn't tampered with after issuance. This tool decodes the first two parts so you can see what's inside without the noise of base64 — useful when debugging auth flows, expired sessions, or "which user is this token for, exactly?".

When to use it

Debugging an OAuth / OpenID Connect login that's failing — paste the access or ID token, see what the IdP actually issued.
Confirming token expiry: the tool decodes exp as a real date and flags it if it's in the past.
Sanity-checking custom claims a backend is asserting (roles, permissions, tenant IDs).
Reading a token your library "rejected as invalid" to see whether the issue is structural, expiry, or signature.

Common claims

iss — issuer (who created the token)
sub — subject (the user/account it represents)
aud — audience (who should accept it)
exp — expiry (Unix timestamp)
iat — issued-at (Unix timestamp)
nbf — not-valid-before (Unix timestamp)

Common gotchas

A decoded JWT is NOT a verified JWT. The signature isn't checked here — that requires the issuer's public key (RSA/EC) or shared secret (HMAC). Decoded contents tell you what the token says, not whether you should trust it. Always verify on the server before honouring claims.
Don't paste production tokens into anywhere. Anyone with a live JWT can impersonate the user until exp. The browser doesn't transmit it from this tool, but extensions, screen-recordings, and dev tools can. Use a fresh token from a test environment if you need to share.
alg: none tokens are a known attack class. If a header has alg: none and your library accepts it, attackers can forge tokens. Reject this on the server.
Time skew matters. A token's exp is checked against the verifier's clock. Servers with drift fail tokens that look valid here.